{
"type": "Domain",
"indicator": "creeo.studio",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/creeo.studio",
"alexa": "http://www.alexa.com/siteinfo/creeo.studio",
"indicator": "creeo.studio",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3752652040,
"indicator": "creeo.studio",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"URL": 5165,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"CVE": 1
},
"indicator_count": 17526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"URL": 3826,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10542,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc6c9f25c71625fb0b9e6",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2790,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d4442a0b5217c34bbcbd2d",
"name": "VirusTotal report\n for install.sh",
"description": "",
"modified": "2026-05-06T23:07:30.047000",
"created": "2026-04-06T23:39:22.105000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 43,
"FileHash-SHA1": 45,
"FileHash-SHA256": 1421,
"URL": 261,
"hostname": 73,
"domain": 235,
"email": 1
},
"indicator_count": 2079,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d44428ad43f231ff43e175",
"name": "VirusTotal report\n for install.sh",
"description": "",
"modified": "2026-05-06T23:07:30.047000",
"created": "2026-04-06T23:39:20.767000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 43,
"FileHash-SHA1": 45,
"FileHash-SHA256": 1421,
"URL": 261,
"hostname": 73,
"domain": 235,
"email": 1
},
"indicator_count": 2079,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1396bb42208f8aa25b8ae",
"name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable",
"description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.",
"modified": "2026-05-04T15:01:49.491000",
"created": "2026-04-04T16:16:43.680000",
"tags": [
"binary",
"yara rule",
"binary file",
"yara",
"pe section",
"av detections",
"ip address",
"url analysis",
"urls",
"singapore",
"singapore asn",
"as14061",
"edgeview drive",
"suite",
"broomfield",
"colorado",
"key usage",
"handle",
"v3 serial",
"number",
"cert validity",
"asia pacific",
"traefik default",
"cert",
"thumbprint",
"name",
"all filehash",
"learn",
"adversaries",
"calls",
"ck id",
"name tactics",
"suspicious",
"informative",
"reads",
"defense evasion",
"loads",
"model",
"call",
"getprocaddress",
"span",
"path",
"mitre att",
"ck matrix",
"access type",
"value",
"windir",
"open",
"error",
"click",
"contact",
"meta",
"april",
"hybrid",
"format",
"strings",
"united",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"status",
"fastest privacy",
"first dns",
"trojan",
"pegasus",
"title",
"dynamicloader",
"ms windows",
"intel",
"pe32 executable",
"win32",
"medium",
"pe32",
"high",
"mozilla",
"delphi",
"injectdll",
"write",
"malware",
"observer",
"stream",
"unknown",
"lredmond",
"stwa",
"omicrosoft",
"stwashington",
"server ca",
"https domain",
"accept",
"read c",
"ogoogle trust",
"worm",
"code",
"td td",
"td tr",
"a td",
"dynamic dns",
"name servers",
"arial",
"zeppelin",
"null",
"enough",
"hosts",
"fast",
"tls sni",
"cloudflare dns",
"google dns",
"showing",
"get icarus",
"show",
"ascii text",
"global",
"next",
"cc fd",
"d4 dc",
"a3 ad",
"a8 c7",
"bb c7",
"f0 f1",
"f4 ca",
"bc a1",
"win64",
"local",
"otx logo",
"hostname",
"passive dns",
"files",
"less",
"related tags",
"servers",
"certificate",
"domain",
"cloudflare",
"khtml",
"gecko",
"ids detections",
"yara detections",
"ip lookup",
"encrypt",
"elf executable",
"sysv",
"linux",
"elf64 operation",
"unix",
"exec amd6464",
"elf geomi",
"modify system",
"process l",
"t1543",
"systemd service",
"ta0004",
"techniques",
"process create",
"modify syst",
"t1036 indicator",
"remc t1070",
"file",
"directoi t1222",
"t1027 masquerac",
"t1070",
"data upload",
"extraction",
"failed",
"ta0005",
"t1027",
"memory pattern",
"domains",
"dns resolutions",
"full reports",
"v ip",
"traffic tcp",
"g sh",
"c tmpsample",
"binrm f",
"usrbinid id",
"usrbinsystemctl",
"proc1environ",
"proccpuinfo",
"include",
"review exclude",
"sample",
"https",
"performs dns",
"tls version",
"mitre attack",
"network info",
"file type",
"persistence",
"include review",
"exclude sugges",
"find s",
"unique ru",
"review occ",
"exclude data",
"alvoes",
"include data",
"suggest",
"find c",
"typ filet",
"filet ce",
"layer protocol",
"http performs",
"reads cpu",
"proc indicative",
"filet filet",
"pulse",
"file hach",
"h1256",
"filer data",
"typ data",
"filer filehuon",
"filet filer",
"exchange all",
"typ no",
"no entri",
"exclude",
"suggested ocs",
"manualy",
"hua muicalul",
"find",
"indicatore",
"typ innicatad",
"new threat",
"dive into",
"zergeca botnet",
"reference",
"report publish",
"zergeca",
"all se",
"matches edolavd",
"matches data",
"matches matches",
"type",
"extr",
"tico data",
"get hello",
"mirai variant",
"useragent",
"hello",
"outbound",
"world",
"search",
"hackingtrio ua",
"inbound",
"mirai",
"info",
"shell",
"pulse pulses",
"files ip",
"address domain",
"ip related",
"labs pulses",
"pulses",
"post",
"http traffic",
"tocstut",
"reference id",
"xor key",
"canada",
"america",
"germany",
"doh",
"ddos",
"botnet",
"en",
"xor",
"twitter",
"stop",
"loader",
"downloader",
"zerg",
"mirai",
"golang",
"c2 resolution",
"germany",
"c2 ip",
"virustotal",
"smux",
"ck ids",
"t1082",
"applescript",
"t1190",
"application",
"private server",
"t1609",
"command",
"unix shell",
"software supply",
"service",
"chain",
"t1499",
"entries",
"otx telemetry",
"next associated",
"backdoor",
"detections",
"sha256 add",
"alerts",
"heur",
"all domain",
"creation date",
"record value",
"aaaa",
"date",
"unknown ns",
"ponmocup post",
"infection dns",
"mtb nov",
"ipv4 add",
"external ip",
"copy"
],
"references": [
"www.joewa.com",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"Loads modules at runtime Looks up procedures from modules",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Crowdsourced SIGMA Below:",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS Below:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Unique rule identifier: This rule belongs to a private collection.",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"crypto-pool.fr",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"IDS: Observed Suspicious UA (Hello, World)",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: cape_detected_threat",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"https://dns.google/resolve?name=SELECT",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Address shows an place of origin: Broomfield , Co",
"Believed to be originating from Germany and Russia",
"BGP Hurricane Electric seen",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Indicators seen may have affected a few OTX users. Is ongoing",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"This pulse is so huge it\u2019s a mess. Will break down."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Thailand",
"Germany",
"Canada"
],
"malware_families": [
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"target": null
},
{
"id": "Trojan.Sagnt/R011c0dfs24",
"display_name": "Trojan.Sagnt/R011c0dfs24",
"target": null
},
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "Unix.Trojan.Mirai",
"display_name": "Unix.Trojan.Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7669677-0",
"display_name": "Unix.Trojan.Mirai-7669677-0",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1590.005",
"name": "IP Addresses",
"display_name": "T1590.005 - IP Addresses"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1056.004",
"name": "Credential API Hooking",
"display_name": "T1056.004 - Credential API Hooking"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1608.002",
"name": "Upload Tool",
"display_name": "T1608.002 - Upload Tool"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"display_name": "T1195.002 - Compromise Software Supply Chain"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1583.003",
"name": "Virtual Private Server",
"display_name": "T1583.003 - Virtual Private Server"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 795,
"FileHash-SHA1": 648,
"FileHash-SHA256": 3708,
"URL": 2587,
"domain": 739,
"hostname": 1129,
"email": 14,
"CIDR": 15,
"SSLCertFingerprint": 18,
"CVE": 4
},
"indicator_count": 9657,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "28 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1395ab63bf8e8d2c384eb",
"name": "Zergeca + Mirai + Salat + Autorun = Bigger Stronger packed Botnet Nightmare | Affecting untold infrastructure. Virtually undetectable",
"description": "The sample is a packed malicious loader, likely a first-stage component. Key indicators include: 1) A custom implementation of an LZMA-style decompression algorithm within the '_start' function, used to unpack an embedded payload. 2) Use of direct syscalls (sys_open, sys_mmap) in 'sub_16d1efc' to manually map executable memory and transfer control to the second stage ('jump(rdx_2)'). 3) Extremely high entropy and a lack of standard ELF sections/imports, typical of obfuscated malware. 4) The use of '/proc/self/exe' and low-level I/O instructions (in/out) in 'sub_16d271e' suggests anti-analysis or self-replication capabilities. Relevant IOC: SHA256 [6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29.] Name: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29\n703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf\ngeomi\n*Infrastructure Obfuscation\n*Low Detection Rate: Zergeca samples, packed with a modified UPX packer, continues to yield very low detection rates on VirusTotal.",
"modified": "2026-05-04T15:01:49.491000",
"created": "2026-04-04T16:16:26.128000",
"tags": [
"binary",
"yara rule",
"binary file",
"yara",
"pe section",
"av detections",
"ip address",
"url analysis",
"urls",
"singapore",
"singapore asn",
"as14061",
"edgeview drive",
"suite",
"broomfield",
"colorado",
"key usage",
"handle",
"v3 serial",
"number",
"cert validity",
"asia pacific",
"traefik default",
"cert",
"thumbprint",
"name",
"all filehash",
"learn",
"adversaries",
"calls",
"ck id",
"name tactics",
"suspicious",
"informative",
"reads",
"defense evasion",
"loads",
"model",
"call",
"getprocaddress",
"span",
"path",
"mitre att",
"ck matrix",
"access type",
"value",
"windir",
"open",
"error",
"click",
"contact",
"meta",
"april",
"hybrid",
"format",
"strings",
"united",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"status",
"fastest privacy",
"first dns",
"trojan",
"pegasus",
"title",
"dynamicloader",
"ms windows",
"intel",
"pe32 executable",
"win32",
"medium",
"pe32",
"high",
"mozilla",
"delphi",
"injectdll",
"write",
"malware",
"observer",
"stream",
"unknown",
"lredmond",
"stwa",
"omicrosoft",
"stwashington",
"server ca",
"https domain",
"accept",
"read c",
"ogoogle trust",
"worm",
"code",
"td td",
"td tr",
"a td",
"dynamic dns",
"name servers",
"arial",
"zeppelin",
"null",
"enough",
"hosts",
"fast",
"tls sni",
"cloudflare dns",
"google dns",
"showing",
"get icarus",
"show",
"ascii text",
"global",
"next",
"cc fd",
"d4 dc",
"a3 ad",
"a8 c7",
"bb c7",
"f0 f1",
"f4 ca",
"bc a1",
"win64",
"local",
"otx logo",
"hostname",
"passive dns",
"files",
"less",
"related tags",
"servers",
"certificate",
"domain",
"cloudflare",
"khtml",
"gecko",
"ids detections",
"yara detections",
"ip lookup",
"encrypt",
"elf executable",
"sysv",
"linux",
"elf64 operation",
"unix",
"exec amd6464",
"elf geomi",
"modify system",
"process l",
"t1543",
"systemd service",
"ta0004",
"techniques",
"process create",
"modify syst",
"t1036 indicator",
"remc t1070",
"file",
"directoi t1222",
"t1027 masquerac",
"t1070",
"data upload",
"extraction",
"failed",
"ta0005",
"t1027",
"memory pattern",
"domains",
"dns resolutions",
"full reports",
"v ip",
"traffic tcp",
"g sh",
"c tmpsample",
"binrm f",
"usrbinid id",
"usrbinsystemctl",
"proc1environ",
"proccpuinfo",
"include",
"review exclude",
"sample",
"https",
"performs dns",
"tls version",
"mitre attack",
"network info",
"file type",
"persistence",
"include review",
"exclude sugges",
"find s",
"unique ru",
"review occ",
"exclude data",
"alvoes",
"include data",
"suggest",
"find c",
"typ filet",
"filet ce",
"layer protocol",
"http performs",
"reads cpu",
"proc indicative",
"filet filet",
"pulse",
"file hach",
"h1256",
"filer data",
"typ data",
"filer filehuon",
"filet filer",
"exchange all",
"typ no",
"no entri",
"exclude",
"suggested ocs",
"manualy",
"hua muicalul",
"find",
"indicatore",
"typ innicatad",
"new threat",
"dive into",
"zergeca botnet",
"reference",
"report publish",
"zergeca",
"all se",
"matches edolavd",
"matches data",
"matches matches",
"type",
"extr",
"tico data",
"get hello",
"mirai variant",
"useragent",
"hello",
"outbound",
"world",
"search",
"hackingtrio ua",
"inbound",
"mirai",
"info",
"shell",
"pulse pulses",
"files ip",
"address domain",
"ip related",
"labs pulses",
"pulses",
"post",
"http traffic",
"tocstut",
"reference id",
"xor key",
"canada",
"america",
"germany",
"doh",
"ddos",
"botnet",
"en",
"xor",
"twitter",
"stop",
"loader",
"downloader",
"zerg",
"mirai",
"golang",
"c2 resolution",
"germany",
"c2 ip",
"virustotal",
"smux",
"ck ids",
"t1082",
"applescript",
"t1190",
"application",
"private server",
"t1609",
"command",
"unix shell",
"software supply",
"service",
"chain",
"t1499",
"entries",
"otx telemetry",
"next associated",
"backdoor",
"detections",
"sha256 add",
"alerts",
"heur",
"all domain",
"creation date",
"record value",
"aaaa",
"date",
"unknown ns",
"ponmocup post",
"infection dns",
"mtb nov",
"ipv4 add",
"external ip",
"copy"
],
"references": [
"www.joewa.com",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"Loads modules at runtime Looks up procedures from modules",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"Crowdsourced SIGMA Below:",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS Below:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Unique rule identifier: This rule belongs to a private collection.",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"crypto-pool.fr",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"IDS: Observed Suspicious UA (Hello, World)",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: cape_detected_threat",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"https://dns.google/resolve?name=SELECT",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"Address shows an place of origin: Broomfield , Co",
"Believed to be originating from Germany and Russia",
"BGP Hurricane Electric seen",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Indicators seen may have affected a few OTX users. Is ongoing",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"This pulse is so huge it\u2019s a mess. Will break down."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Thailand",
"Germany",
"Canada"
],
"malware_families": [
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.VBGeneric-6735875-0",
"display_name": "Win.Trojan.VBGeneric-6735875-0",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn",
"target": null
},
{
"id": "Trojan.Sagnt/R011c0dfs24",
"display_name": "Trojan.Sagnt/R011c0dfs24",
"target": null
},
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "Unix.Trojan.Mirai",
"display_name": "Unix.Trojan.Mirai",
"target": null
},
{
"id": "Unix.Trojan.Mirai-7669677-0",
"display_name": "Unix.Trojan.Mirai-7669677-0",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1055.003",
"name": "Thread Execution Hijacking",
"display_name": "T1055.003 - Thread Execution Hijacking"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1590.005",
"name": "IP Addresses",
"display_name": "T1590.005 - IP Addresses"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1546.015",
"name": "Component Object Model Hijacking",
"display_name": "T1546.015 - Component Object Model Hijacking"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1056.004",
"name": "Credential API Hooking",
"display_name": "T1056.004 - Credential API Hooking"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1608.002",
"name": "Upload Tool",
"display_name": "T1608.002 - Upload Tool"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1021",
"name": "Remote Services",
"display_name": "T1021 - Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1195",
"name": "Supply Chain Compromise",
"display_name": "T1195 - Supply Chain Compromise"
},
{
"id": "T1499",
"name": "Endpoint Denial of Service",
"display_name": "T1499 - Endpoint Denial of Service"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1609",
"name": "Container Administration Command",
"display_name": "T1609 - Container Administration Command"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1195.002",
"name": "Compromise Software Supply Chain",
"display_name": "T1195.002 - Compromise Software Supply Chain"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1583.003",
"name": "Virtual Private Server",
"display_name": "T1583.003 - Virtual Private Server"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 795,
"FileHash-SHA1": 648,
"FileHash-SHA256": 3708,
"URL": 2587,
"domain": 739,
"hostname": 1129,
"email": 14,
"CIDR": 15,
"SSLCertFingerprint": 18,
"CVE": 4
},
"indicator_count": 9657,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "28 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e9c8d45d1cd544e7e778f9",
"name": "[The Real Jane Doe Syndrome Files] Credit: Ravescoutllc [clone]",
"description": "Researcher @Ravescoutllc. Posts this decription:\n\"An array of scripts and files designed to completely compromise your MacBook and effectively erase your digital identity from the internet exists. This type of targeted attack is perpetrated by various groups for political or monetary agendas. It gradually takes over your devices and consumes your energy, time, career, and overall quality of life. In my case, the adversary involved is the DragonForce Malaysia Hacker Group.\" -Ravescoutllc.",
"modified": "2026-04-23T07:28:12.404000",
"created": "2026-04-23T07:23:00.246000",
"tags": [
"copyright",
"apple computer",
"tcpip",
"supported",
"quantum",
"automounter map",
"use directory",
"get home",
"home autohome",
"facility",
"file",
"level",
"access",
"level info",
"broadcast",
"store",
"ignore",
"rules",
"sender",
"true",
"t option",
"mount",
"force",
"environment",
"automountdenv",
"promptcommand",
"shellsessiondir",
"histfile",
"histfilesize",
"terminal",
"myvar",
"histtimeformat",
"arrange",
"bashrematch",
"tell",
"postfix",
"mail",
"aliases",
"postfix version",
"restrict",
"wietse venema",
"sample",
"note",
"person",
"basic system",
"general",
"host database",
"inpck",
"nnnbaud",
"berkeley",
"parity",
"pc entry",
"pass8",
"parenb istrip",
"fixed speed",
"entry",
"clocal mode",
"open directory",
"jabber",
"group database",
"cyrus",
"calendar",
"dovecot",
"postfix scsd",
"networkd",
"searchpaths",
"freebsd",
"tmpdir",
"fcodes",
"prunepaths",
"vartmp",
"prunedirs",
"filesystems",
"status mailfrom",
"returnpath via",
"maxhistsize",
"promptmode",
"verbose end",
"etcirbrcloaded",
"default",
"setup",
"history file",
"kernel",
"readline",
"error",
"nroff",
"manpath",
"uncomment",
"manpager",
"whatispager",
"manlocale",
"every",
"manpath optman",
"maybe",
"troff",
"refer",
"pidfile",
"flags",
"bcgjnuwz",
"ps1h",
"make bash",
"s checkwinsize",
"etcbashrc",
"termprogram",
"daemon",
"service",
"server",
"user",
"audio",
"user database",
"unix copy",
"protocol",
"gate daemon",
"desktop",
"agent",
"bridge",
"bin usrsbin",
"sbin",
"default pf",
"care",
"bashno",
"r etcbashrc",
"ipv6",
"internet",
"icmp",
"cisco",
"monitoring",
"argus",
"chaos",
"rsvp",
"encapsulation",
"aris",
"isis",
"rfc1323",
"m1460",
"macos x",
"signature",
"linux",
"opera",
"xp sp1",
"windows sp1",
"nmap syn",
"m265",
"direct",
"unknown",
"synack",
"mind",
"macos",
"warp",
"generic",
"networkup",
"term",
"devnull",
"common setup",
"configure",
"set command",
"pathbin",
"path",
"netbootmount",
"netbootshadow",
"computername",
"localonly",
"localnetbootdir",
"netboot",
"define",
"purpose",
"networkonly",
"waiting",
"sunnet manager",
"rpcsrc",
"netlicense",
"apple",
"notice",
"dns hostname",
"dns query",
"see also",
"kame",
"ftpd",
"bindash binksh",
"binsh bintcsh",
"none",
"fax reception",
"hardwired",
"0007",
"setup user",
"home",
"zdotdir",
"delete",
"beep",
"vendor",
"kf10",
"kf11",
"kf12",
"kf13",
"backspace",
"insert",
"resume",
"termsessionid",
"savehist",
"sharehistory",
"addiconbytype",
"adddescription",
"directory",
"fancyindexed",
"gzip",
"indexignore",
"indexes",
"versionsort",
"fancyindexing",
"alias icons",
"format",
"browsermatch",
"davlockdb",
"requireany",
"webdav",
"usergroup",
"alias",
"authtype digest",
"davupload admin",
"authuserfile",
"apache",
"full",
"minrate500",
"keepalive",
"prod",
"email",
"apache http",
"timeout",
"number",
"minimal",
"major",
"manual",
"provide access",
"options indexes",
"require",
"sethandler",
"files",
"removetype tr",
"traditionally",
"addlanguage da",
"extendedstatus",
"change",
"require host",
"get information",
"allow server",
"allow",
"addlanguage",
"addcharset",
"defaultlanguage",
"fallback",
"polish",
"addlanguage pl",
"catalan",
"english",
"greekmodern",
"korean",
"turkish",
"ifmodule",
"threadsperchild",
"startservers",
"minsparethreads",
"maxsparethreads",
"maximum number",
"mpms",
"threadstacksize",
"loadfile c",
"html",
"proxyhtmllinks",
"first",
"ascii",
"unicode",
"windows",
"must",
"location",
"w3c html",
"example",
"sslsessioncache",
"ocsp stapling",
"ssl engine",
"sslrequire",
"ssltls standard",
"prng",
"sslrandomseed",
"openssl",
"high",
"userdir sites",
"control access",
"userdir",
"virtualhost",
"servername",
"virtualhost 80",
"serveradmin",
"documentroot",
"errorlog",
"customlog",
"hosts",
"please",
"almost",
"errorhttp",
"http",
"yourincludepath",
"apache version",
"serversignature",
"alias error",
"addhandler",
"include",
"serverroot",
"listen",
"ifdefine",
"loadmodule",
"errordocument",
"win32",
"main",
"addtype",
"directoryindex",
"claim",
"category",
"time",
"host",
"threadid",
"function",
"line",
"message",
"level error",
"a facility",
"guest",
"springboard",
"message sep",
"message mc",
"message secure",
"ca message",
"multitouchhid",
"usereventagent",
"cups",
"hp envy",
"high duplex",
"none colormodel",
"gray gamma",
"env10",
"envc6",
"envchou3",
"envchou4",
"envdl",
"isob5",
"false",
"cups scheduler",
"list",
"synconclose no",
"default user",
"user lp",
"group lp",
"system",
"group value",
"limit",
"order deny",
"require user",
"owner",
"authtype",
"default require",
"authkey",
"lpadmin",
"restrict access",
"d0 j",
"acl account",
"touch id",
"airdrop anchor",
"reject empty",
"domain",
"canonical",
"tables",
"ldap",
"post",
"replace user",
"address",
"bugs",
"matches",
"postfix smtp",
"ipv6 host",
"reject",
"reply",
"prior",
"hold",
"info",
"smtp",
"isp mail",
"name",
"mail delivery",
"charset",
"report",
"postfix dsn",
"mail returned",
"this",
"only",
"program",
"agreement",
"contributor",
"recipient",
"contribution",
"the program",
"corporation",
"contributors",
"product x",
"as expressly",
"arch",
"arch x8664",
"pipe wall",
"wimplicit",
"ranlib",
"warn",
"switch",
"start",
"systype",
"mime",
"headerchecks",
"readme files",
"filters while",
"posix",
"empty",
"body",
"pass",
"write",
"date",
"smtp server",
"specify",
"mx host",
"unix password",
"user unknown",
"postfix queue",
"unix",
"beware",
"class",
"uucp",
"shell",
"local",
"outlook",
"postfix master",
"begin",
"server admin",
"mail backend",
"modern smtp",
"iana",
"many",
"postfix pipe",
"recent cyrus",
"amos gouaux",
"old example",
"relocated",
"matches user",
"synopsis",
"or even",
"lutz jaenicke",
"technology",
"cottbus",
"germany",
"openssl package",
"openssl project",
"europe",
"remember that",
"use of",
"virtual",
"virtual alias",
"redirect mail",
"deliver mail",
"transport",
"description",
"result format",
"update",
"usrsbin",
"file format",
"no group",
"daemondirectory",
"id key",
"specification",
"auto exit",
"vpn socket",
"ipv4v6",
"userfqdn",
"fqdn",
"auditing",
"solaris",
"reserved",
"openbsm",
"secsrvr",
"allocation",
"bsm event",
"solaris kernel",
"openbsm kernel",
"solaris auemac",
"solaris umount",
"removed",
"Aishah Siti Lazim"
],
"references": [
"afpovertcp.cfg",
"auto_home",
"auto_master",
"asl.conf",
"autofs.conf",
"com.apple.screensharing.agent.launchd",
"bashrc_Apple_Terminal",
"csh.cshrc",
"csh.login",
"aliases",
"csh.logout",
"find.codes",
"ftpusers",
"hosts",
"gettytab",
"hosts.equiv",
"kern_loader.conf",
"group",
"locate.rc",
"mail.rc",
"irbrc",
"manpaths",
"man.conf",
"networks",
"newsyslog.conf",
"nfs.conf",
"bashrc",
"ntp_opendirectory.conf",
"nsmb.conf",
"ntp.conf",
"passwd",
"paths",
"pf.conf",
"profile",
"notify.conf",
"protocols",
"pf.os",
"rc.common",
"rc.netboot",
"rpc",
"rmtab",
"resolv.conf",
"rtadvd.conf",
"shells",
"syslog.conf",
"ttys",
"xtab",
"zprofile",
"zshrc",
"zshrc_Apple_Terminal",
"httpd-autoindex.conf",
"httpd-dav.conf",
"httpd-default.conf",
"httpd-manual.conf",
"httpd-info.conf",
"httpd-languages.conf",
"httpd-mpm.conf",
"proxy-html.conf",
"httpd-ssl.conf",
"httpd-userdir.conf",
"httpd-vhosts.conf",
"httpd-multilang-errordoc.conf",
"httpd.conf",
"mpm.conf",
"php7.conf",
"johndoe.conf",
"com.apple.cdscheduler",
"com.apple.contacts.ContactsAutocomplete",
"com.apple.authd",
"com.apple.eventmonitor",
"com.apple.mail",
"com.apple.iokit.power",
"com.apple.MessageTracer",
"com.apple.login.guest",
"com.apple.install",
"com.apple.networking.boringssl",
"com.apple.performance",
"com.apple.mkb.internal",
"com.apple.coreduetd",
"com.apple.mkb",
"snmp.conf",
"snmp.conf.default",
"HP_ENVY_6000_series__3D66E1_.ppd",
"cups-files.conf",
"cups-files.conf.default",
"cupsd.conf.default",
"cupsd.conf",
"com.apple.slapd.conf",
"com.apple.xscertd.conf",
"files.conf",
"com.apple.slapconfig.conf",
"authorization",
"authorization_la",
"authorization_ctk",
"authorization_aks",
"checkpw",
"authorization_lacont",
"chkpasswd",
"cups",
"login.term",
"login",
"other",
"screensaver",
"screensaver_new",
"screensaver_aks",
"screensaver_la",
"screensaver_new_ctk",
"screensaver_new_la",
"screensaver_new_aks",
"smbd",
"sshd",
"screensaver_ctk",
"su",
"sudo",
"sudo_local.template",
"10-cryptex",
"com.apple",
"custom_header_checks",
"canonical",
"access",
"generic",
"bounce.cf.default",
"LICENSE",
"makedefs.out",
"header_checks",
"main.cf",
"main.cf.proto",
"master.cf.default",
"master.cf.proto",
"main.cf.default",
"master.cf",
"relocated",
"TLS_LICENSE",
"virtual",
"transport",
"postfix-files",
"racoon.conf",
"psk.txt",
"audit_warn",
"audit_class",
"audit_event",
"audit_user",
"audit_control.example"
],
"public": 1,
"adversary": "DragonForce Hacker Group Malaysia, Al-Arqam",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66f837de06233b5ccdd84a81",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 285,
"URL": 620,
"hostname": 309,
"email": 21,
"FileHash-SHA256": 220,
"CIDR": 3
},
"indicator_count": 1458,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "40 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T21:01:07.869000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9
},
"indicator_count": 14134,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "42 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b7241a63b7527ac2b04d60",
"name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]",
"description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]",
"modified": "2026-04-14T18:06:37.524000",
"created": "2026-03-15T21:26:50.218000",
"tags": [
"man software",
"destination",
"port",
"united",
"delete",
"read c",
"virustotal",
"patched3_c.akrv",
"armadillov171",
"dod",
"thinkman",
"win32",
"trojan",
"present mar",
"backdoor",
"urls",
"files",
"unknown",
"search",
"china as23724",
"asnone",
"artemis",
"zeppelin",
"drweb",
"vipre",
"panda",
"malware",
"suspicious",
"cloud",
"logic",
"et trojan",
"et info",
"download",
"windows",
"embeddedwb",
"shellexecuteexw",
"msie",
"windows nt",
"writeconsolew",
"displayname",
"service",
"ids detections",
"yara detections",
"crypt",
"medium",
"whitelisted",
"passive dns",
"worm",
"mtb may",
"mtb aug",
"otx logo",
"all ipv4",
"pulse pulses",
"dynamicloader",
"yara rule",
"ff d5",
"high",
"reg add",
"regsz d",
"write",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"pe packer",
"pm size",
"pehash",
"richhash",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"over",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"pattern match",
"null",
"span",
"error",
"body",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"refresh",
"tools",
"title",
"show technique",
"look",
"verify",
"restart",
"t1480 execution",
"navy",
"reputation",
"adult content",
"cyber warfare"
],
"references": [
"AVDetections: Patched3_c.AKRV",
"Yara Detections: Armadillov171",
"Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
"IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40",
"Contacted Domains: tick.usno.navy.mil www.thinkman.com",
"AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
"AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
"AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
"AS15169 google llc | 8.8.8.8\t| dns.google | United States",
"Email: d4@thinkman.com",
"Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
"ASN AS27064 dod network information center",
"Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.",
"Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.",
"tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
"TrojanDownloader:Win32/Umbald.A\tMalware infection",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
"Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
"Alerts: stealth_window packer_entropy uses_windows_utilities",
"Alerts: console_output antivm_memory_available pe_features",
"Yara Detections: MS_Visual_Basic_6_0",
"Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
"Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
"Alerts: queries_user_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
"porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
"http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
"navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/",
"https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
"192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
"444ea032708bb0d940de0ef72b944244 | credit msudosos",
"Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
"https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
"https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
"DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
"205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
"https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
"mailbox.co.za",
"fmx32.aig.com \u2022 167.230.105.81",
"https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Patched3_c.AKRV",
"display_name": "Patched3_c.AKRV",
"target": null
},
{
"id": "Win32:Agent-ALXE\\ [Rtk]",
"display_name": "Win32:Agent-ALXE\\ [Rtk]",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4668",
"display_name": "Win.Trojan.Rootkit-4668",
"target": null
},
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
},
{
"id": "Crypt3.CHZW",
"display_name": "Crypt3.CHZW",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Crypt3.BOQD\t\t Inject2.BHBW",
"display_name": "Crypt3.BOQD\t\t Inject2.BHBW",
"target": null
},
{
"id": "Crypt3.BMVU",
"display_name": "Crypt3.BMVU",
"target": null
},
{
"id": "Trojan.DownLoader12.43161",
"display_name": "Trojan.DownLoader12.43161",
"target": null
},
{
"id": "HEUR/UnSec",
"display_name": "HEUR/UnSec",
"target": null
},
{
"id": "ET Trojan",
"display_name": "ET Trojan",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "TrojanDownloader:Win32/Umbald.A",
"display_name": "TrojanDownloader:Win32/Umbald.A",
"target": "/malware/TrojanDownloader:Win32/Umbald.A"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1048.001",
"name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Military",
"Defense",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 165,
"FileHash-SHA1": 165,
"FileHash-SHA256": 3524,
"URL": 11424,
"email": 1,
"hostname": 3954,
"domain": 2523
},
"indicator_count": 21756,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "48 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d3532c76eb3bf5edd9609b",
"name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek",
"description": "",
"modified": "2026-04-06T06:31:08.181000",
"created": "2026-04-06T06:31:08.181000",
"tags": [
"no expiration",
"filehashmd5",
"iocs",
"next",
"scan endpoints",
"all octoseek",
"create new",
"pulse use",
"pdf report",
"pcap",
"filehashsha1",
"filehashsha256",
"ipv4",
"expiration",
"url http",
"url https",
"hostname",
"domain",
"domain xn",
"orgid1054",
"ruen",
"multiru",
"multi",
"fh no",
"f no",
"m892175",
"n1822",
"contact",
"contacted",
"ciphersuite",
"backdoor",
"generic malware",
"mydoom",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"1b@ssl.com",
"apple",
"all octoseek",
"aaaa",
"access",
"alerts",
"analyze",
"antivirus",
"apple as714",
"apple as8075",
"bootstrap@4.6.2",
"body",
"cellebrite",
"cobalt strike",
"command and control",
"content type",
"core",
"create c",
"cyber threat",
"dark power",
"privilege",
"abuse",
"legal",
"privilege abuse",
"preemptive policing",
"ransomware",
"dns",
"worm",
"network",
"rat",
"bat",
"colorado",
"douglas county",
"pd",
"racism",
"sexism",
"cover up",
"malicious",
"jeffrey reimer dpt",
"default",
"defender",
"delete c",
"dnssec",
"document file",
"dynamic",
"dynamicloader",
"emotet",
"execution",
"expiration",
"date",
"factory",
"february",
"filehash",
"formbook",
"hacktool",
"framing",
"harstel",
"florence, co",
"sherida",
"spyeye",
"castle pines",
"tools",
"defense",
"medical malpractice fraud",
"scheme",
"tsara brashears",
"targeting",
"swatting",
"high",
"hostname",
"hostnames",
"malicious prosecution",
"apb",
"installer",
"intel",
"iocs",
"ios",
"lawlink@2x.svg",
"local",
"local",
"lockbit",
"lumma stealer",
"corruption",
"state actors",
"untitled states",
"installer",
"intel",
"makop",
"malware",
"silencing",
"ms windows",
"human rights",
"civil rights",
"retaliation",
"name servers",
"next",
"passive dns",
"paste",
"collect contacts",
"password",
"unlock phone",
"ios",
"apple gateway",
"android overlay",
"interfacing",
"pe32",
"pegasus",
"phishing",
"protect",
"pulse",
"pulses",
"qakbot",
"quasar",
"ransomexx",
"read c",
"record value",
"regdword",
"regsetvalueexa",
"relacionada",
"sample",
"samples",
"scan endpoints",
"search",
"servers",
"shared",
"show",
"ssl certificate",
"status",
"stealer",
"survivor",
"t1063",
"targets sa",
"url",
"xport",
"write c",
"write",
"win32",
"whois record",
"threat",
"threat analyzer",
"tlsv1",
"tracking",
"united",
"unknown",
"urls",
"urls https",
"ursnif",
"v2 document",
"vanilla-lazyload@12.0.0",
"vista event"
],
"references": [
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"cbi.com",
"deviceinbox.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]",
"http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]",
"support.apple.com [nefarious]",
"caselaw.lawlink.com",
"http://mail.thyrsus.com/ [phishing]",
"ppa.launchpad.net [Apple open use]",
"http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]",
"1click-uninstaller.informer.com [Apple - access PE]",
"http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "ALF:Trojan:PowerShell/DynamicLoader",
"display_name": "ALF:Trojan:PowerShell/DynamicLoader",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Worm:Win32/Bloored.E",
"display_name": "Worm:Win32/Bloored.E",
"target": "/malware/Worm:Win32/Bloored.E"
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "RansomEXX (ELF)",
"display_name": "RansomEXX (ELF)",
"target": null
},
{
"id": "Ransom:Win32/Makop",
"display_name": "Ransom:Win32/Makop",
"target": "/malware/Ransom:Win32/Makop"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "PWS:Win32/XPort",
"display_name": "PWS:Win32/XPort",
"target": "/malware/PWS:Win32/XPort"
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1505.001",
"name": "SQL Stored Procedures",
"display_name": "T1505.001 - SQL Stored Procedures"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65bbb998c3b7662e5059b6c2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1353,
"URL": 5046,
"FileHash-MD5": 5182,
"FileHash-SHA1": 2869,
"FileHash-SHA256": 4063,
"hostname": 2471,
"email": 28,
"CVE": 2,
"SSLCertFingerprint": 5
},
"indicator_count": 21019,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "57 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d3532a6537880f6e2c68dc",
"name": "clone credit octoseek-Dark Power - Pegasus | https://lawlink.com/ CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by OctoSeek",
"description": "",
"modified": "2026-04-06T06:31:06.730000",
"created": "2026-04-06T06:31:06.730000",
"tags": [
"no expiration",
"filehashmd5",
"iocs",
"next",
"scan endpoints",
"all octoseek",
"create new",
"pulse use",
"pdf report",
"pcap",
"filehashsha1",
"filehashsha256",
"ipv4",
"expiration",
"url http",
"url https",
"hostname",
"domain",
"domain xn",
"orgid1054",
"ruen",
"multiru",
"multi",
"fh no",
"f no",
"m892175",
"n1822",
"contact",
"contacted",
"ciphersuite",
"backdoor",
"generic malware",
"mydoom",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"1b@ssl.com",
"apple",
"all octoseek",
"aaaa",
"access",
"alerts",
"analyze",
"antivirus",
"apple as714",
"apple as8075",
"bootstrap@4.6.2",
"body",
"cellebrite",
"cobalt strike",
"command and control",
"content type",
"core",
"create c",
"cyber threat",
"dark power",
"privilege",
"abuse",
"legal",
"privilege abuse",
"preemptive policing",
"ransomware",
"dns",
"worm",
"network",
"rat",
"bat",
"colorado",
"douglas county",
"pd",
"racism",
"sexism",
"cover up",
"malicious",
"jeffrey reimer dpt",
"default",
"defender",
"delete c",
"dnssec",
"document file",
"dynamic",
"dynamicloader",
"emotet",
"execution",
"expiration",
"date",
"factory",
"february",
"filehash",
"formbook",
"hacktool",
"framing",
"harstel",
"florence, co",
"sherida",
"spyeye",
"castle pines",
"tools",
"defense",
"medical malpractice fraud",
"scheme",
"tsara brashears",
"targeting",
"swatting",
"high",
"hostname",
"hostnames",
"malicious prosecution",
"apb",
"installer",
"intel",
"iocs",
"ios",
"lawlink@2x.svg",
"local",
"local",
"lockbit",
"lumma stealer",
"corruption",
"state actors",
"untitled states",
"installer",
"intel",
"makop",
"malware",
"silencing",
"ms windows",
"human rights",
"civil rights",
"retaliation",
"name servers",
"next",
"passive dns",
"paste",
"collect contacts",
"password",
"unlock phone",
"ios",
"apple gateway",
"android overlay",
"interfacing",
"pe32",
"pegasus",
"phishing",
"protect",
"pulse",
"pulses",
"qakbot",
"quasar",
"ransomexx",
"read c",
"record value",
"regdword",
"regsetvalueexa",
"relacionada",
"sample",
"samples",
"scan endpoints",
"search",
"servers",
"shared",
"show",
"ssl certificate",
"status",
"stealer",
"survivor",
"t1063",
"targets sa",
"url",
"xport",
"write c",
"write",
"win32",
"whois record",
"threat",
"threat analyzer",
"tlsv1",
"tracking",
"united",
"unknown",
"urls",
"urls https",
"ursnif",
"v2 document",
"vanilla-lazyload@12.0.0",
"vista event"
],
"references": [
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"cbi.com",
"deviceinbox.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]",
"http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]",
"support.apple.com [nefarious]",
"caselaw.lawlink.com",
"http://mail.thyrsus.com/ [phishing]",
"ppa.launchpad.net [Apple open use]",
"http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]",
"1click-uninstaller.informer.com [Apple - access PE]",
"http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "ALF:Trojan:PowerShell/DynamicLoader",
"display_name": "ALF:Trojan:PowerShell/DynamicLoader",
"target": null
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Worm:Win32/Bloored.E",
"display_name": "Worm:Win32/Bloored.E",
"target": "/malware/Worm:Win32/Bloored.E"
},
{
"id": "Makop",
"display_name": "Makop",
"target": null
},
{
"id": "RansomEXX (ELF)",
"display_name": "RansomEXX (ELF)",
"target": null
},
{
"id": "Ransom:Win32/Makop",
"display_name": "Ransom:Win32/Makop",
"target": "/malware/Ransom:Win32/Makop"
},
{
"id": "Quasar RAT",
"display_name": "Quasar RAT",
"target": null
},
{
"id": "QakBot",
"display_name": "QakBot",
"target": null
},
{
"id": "PWS:Win32/XPort",
"display_name": "PWS:Win32/XPort",
"target": "/malware/PWS:Win32/XPort"
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "Dark Power",
"display_name": "Dark Power",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "LockBit",
"display_name": "LockBit",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1562.003",
"name": "Impair Command History Logging",
"display_name": "T1562.003 - Impair Command History Logging"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1505.001",
"name": "SQL Stored Procedures",
"display_name": "T1505.001 - SQL Stored Procedures"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65bbb998c3b7662e5059b6c2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1353,
"URL": 5046,
"FileHash-MD5": 5182,
"FileHash-SHA1": 2869,
"FileHash-SHA256": 4063,
"hostname": 2471,
"email": 28,
"CVE": 2,
"SSLCertFingerprint": 5
},
"indicator_count": 21019,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "57 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64e1d5e06aa6207f78de",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:21.863000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 149,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf64eccb5d39a90a3c391e",
"name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
"description": "",
"modified": "2026-03-27T00:30:39.055000",
"created": "2026-03-22T03:41:32.565000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": "698e93e1ab02db8c49e8c3ed",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27572,
"FileHash-SHA256": 46076,
"FileHash-MD5": 42177,
"FileHash-SHA1": 22874,
"hostname": 33438,
"URL": 74810,
"SSLCertFingerprint": 21,
"CVE": 7579,
"email": 297,
"FileHash-IMPHASH": 8,
"CIDR": 26203,
"JA3": 1
},
"indicator_count": 281056,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49ad5dd40a24d83cd6a72",
"name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-03-13T23:16:37.716000",
"created": "2026-03-13T23:16:37.716000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69631fbd16e306ee2b76c4da",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b496396ca4987e95ad37d1",
"name": "Chris Buzz by QVashni (wow)",
"description": "",
"modified": "2026-03-13T22:56:57.314000",
"created": "2026-03-13T22:56:57.314000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69482caa00d327da8f0a87bc",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b49587dd104e342dda1628",
"name": "C Ahman Attorney Clone by Top Tier, Q.Vashti",
"description": "",
"modified": "2026-03-13T22:53:59.112000",
"created": "2026-03-13T22:53:59.112000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "80 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b92a27c47d4e28927364",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:26.110000",
"created": "2026-03-12T13:01:30.067000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 74,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b9295603a6100edfa8c8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:24:25.387000",
"created": "2026-03-12T13:01:29.284000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 70,
"modified_text": "81 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b927aa7f10e82639d204",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.872000",
"created": "2026-03-12T13:01:27.872000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b927c086397130c5d114",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:27.275000",
"created": "2026-03-12T13:01:27.275000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b926871746ed8a1bc324",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:26.440000",
"created": "2026-03-12T13:01:26.440000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b925e85c948d4dd608cc",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:01:25.852000",
"created": "2026-03-12T13:01:25.852000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e974189d2c41f07ed8",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:25.910000",
"created": "2026-03-12T13:00:25.910000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8e74d2b3effd55f88c3",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:23.173000",
"created": "2026-03-12T13:00:23.173000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8dfbf8426a7a1d0146d",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:15.427000",
"created": "2026-03-12T13:00:15.427000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d7123610591625b8fb",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:07.354000",
"created": "2026-03-12T13:00:07.354000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d61e3f64a8f1f169b6",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:06.214000",
"created": "2026-03-12T13:00:06.214000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b2b8d24eeb4200bdb1d702",
"name": "operation endgame clone by privacynotacrime (very detailed piece)",
"description": "",
"modified": "2026-03-12T13:00:02.096000",
"created": "2026-03-12T13:00:02.096000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": "687992eceac6f12e9cebd65f",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "81 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "691f4d4ef0a2a570b8b21cd2",
"name": "Chris P. Ahmann Colorado State Criminal Defense Attorney",
"description": "Chris P. Ahmann Colorado State Criminal Defense attorney hired by quasi government Workers Compensation to completely destroy Tsara Brashears literally to death. None of her spinal cord injuries , and other assault injuries discussed or compensated for in rushed settlement case. Her awful racist attorney refused to represent plaintiffs in hearing. Never met with in person for no good reason. Tsara represented herself. Less that 24 hour notice. No briefings, no awareness or mention that Ahmann was representing Jeffrey Scott Reimer for assault\n case. Brashears required 24 hour care by end of life. Received 0 workers compsarion payments. But if this doesn\u2019t prove Reimer\u2019s guilt what does? Continued harassment of associated. \n\nNotice the outages? You\u2019ve cost BILLIONS? Stop threatening everyone.",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-11-20T17:18:06.929000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69482caa00d327da8f0a87bc",
"name": "Chris P.\u2019 Buzz\u2019 Ahmann Colorado State Criminal Defense Attorney (22.20.2025)",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-21T17:21:46.434000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695557ee134b978b00883c29",
"name": "Chris P. Ahmann \u2022 Stay out of PRIVATE PROPERTY HITMAN! Colorado State",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2025-12-31T17:05:50.134000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "691f4d4ef0a2a570b8b21cd2",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69631fbd16e306ee2b76c4da",
"name": "Chris P. Ahmann \u2022 STAY Away!f PRIVATE PROPERTY Colorado State Fixer!",
"description": "",
"modified": "2026-01-20T17:02:02.650000",
"created": "2026-01-11T03:57:49.242000",
"tags": [
"related pulses",
"p1377925676",
"gaz1",
"sid1696503456",
"sct1",
"active",
"dynamicloader",
"medium",
"write c",
"search",
"show",
"high",
"program gateway",
"http traffic",
"http",
"write",
"malware",
"nivdort",
"serving ip",
"address",
"status code",
"kb body",
"sha256",
"gw5hjz7t975",
"url https",
"url http",
"indicator role",
"pulses url",
"hostname",
"poland unknown",
"present sep",
"present jul",
"present may",
"present apr",
"present dec",
"present jan",
"moved",
"passive dns",
"ip address",
"title",
"location poland",
"asn as29522",
"gmt content",
"accept encoding",
"ipv4 add",
"urls",
"files",
"reverse dns",
"united",
"record value",
"aaaa",
"mtb oct",
"found",
"error",
"read c",
"memcommit",
"module load",
"next",
"showing",
"trojan",
"execution",
"unknown",
"entries",
"ms windows",
"intel",
"as15169",
"codeoverlap",
"yara detections",
"delphi",
"worm",
"win32",
"win64",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ssl certificate",
"execution att",
"script urls",
"treece alfrey",
"meta",
"germany unknown",
"for privacy",
"title added",
"active related",
"pulses",
"asnone",
"named pipe",
"type indicator",
"role title",
"added active",
"filehashsha256",
"ally",
"melika",
"information",
"law christopher",
"https",
"fake pinterest",
"tsara",
"traceback man",
"expiro",
"capture",
"domain",
"types of",
"germany",
"poland",
"netherlands",
"cve cve20178977",
"boobs130432 nov",
"learn more",
"filehashmd5",
"utmsourceawin",
"pe32",
"head microsoft",
"delete",
"main",
"backdoor",
"next associated",
"gmt connection",
"control",
"content type",
"twitter",
"certificate",
"redirect date",
"cache",
"unknown ns",
"hostname add",
"ipv4",
"pulse pulses",
"location united",
"america flag",
"america asn",
"windows",
"total",
"ids detections",
"url add",
"related nids",
"files location",
"flag united",
"win32mydoom nov",
"domain add",
"yara rule",
"ee fc",
"ff d5",
"f0 ff",
"eb e1",
"ff ff",
"c1 e8",
"c1 c0",
"eb e8",
"mpress",
"cache control",
"x cache",
"date",
"name servers",
"arial",
"present aug",
"present jun",
"may god",
"hall render",
"palantir doing",
"jeffrey scott",
"jeffrey reimer",
"brian sabey",
"butt pirates",
"scott reimer",
"colorado",
"quasi government",
"workers compensation",
"eva lisa",
"eva reimer",
"sammie",
"montano mark",
"death threats",
"tulach",
"hired hit men",
"gay man",
"gay porn",
"concentra",
"corruption",
"palantir",
"foundry",
"grifter",
"warning",
"illegal",
"apple",
"contacted",
"ransom",
"dead",
"denver"
],
"references": [
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"https://www.sweetheartvideo.com/scenes?models=63710",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"https://www.vgt.pl/favicon.ico",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://watchhers.net/index.php",
"remotewd.com device local",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "Worm:Win32/Autorun",
"display_name": "Worm:Win32/Autorun",
"target": "/malware/Worm:Win32/Autorun"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Jaik",
"display_name": "Jaik",
"target": null
},
{
"id": "Trojan:Win32/Qshell",
"display_name": "Trojan:Win32/Qshell",
"target": "/malware/Trojan:Win32/Qshell"
},
{
"id": "Trojan:Win32/Mydoom",
"display_name": "Trojan:Win32/Mydoom",
"target": "/malware/Trojan:Win32/Mydoom"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1197",
"name": "BITS Jobs",
"display_name": "T1197 - BITS Jobs"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "695557ee134b978b00883c29",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 8897,
"domain": 2102,
"hostname": 2867,
"FileHash-SHA256": 3886,
"FileHash-MD5": 619,
"FileHash-SHA1": 555,
"CVE": 3,
"email": 5,
"SSLCertFingerprint": 8
},
"indicator_count": 18942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "132 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695ea667a062ed6688b104ab",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:31:03.104000",
"created": "2026-01-07T18:31:03.104000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "145 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695ea6590a50f71a156c9a7f",
"name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ",
"description": "",
"modified": "2026-01-07T18:30:49.442000",
"created": "2026-01-07T18:30:49.442000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": "692897a64c0e255409b5a67e",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "145 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69314926519256e3ef0a9358",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:06.657000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 151,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69314920e287845f6b36a265",
"name": "BeeLineRouter.Net \u2022 Apple Access",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:41:04.190000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"FileHash-SHA256": 3634,
"URL": 5839,
"CVE": 2,
"domain": 1048,
"email": 15,
"hostname": 1944,
"SSLCertFingerprint": 2
},
"indicator_count": 13089,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 150,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "693148dc0eb85adc8edfe1a2",
"name": "BeeLineRouter.Net \u2022 Isolated / Apple Baxkdoor",
"description": "",
"modified": "2026-01-03T07:00:45.529000",
"created": "2025-12-04T08:39:56.180000",
"tags": [
"mitre att",
"network traffic",
"ck id",
"show technique",
"ck matrix",
"threat score",
"december",
"default browser",
"guest system",
"united",
"dynadot inc",
"name server",
"contacted hosts",
"process details",
"windir",
"openurl c",
"prefetch2",
"learn",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"access att",
"t1566 phishing",
"ascii text",
"pattern match",
"show process",
"t1071",
"general",
"local",
"path",
"click",
"beelinerouter",
"access",
"router",
"apple",
"regopenkeyexw",
"regsz",
"process32nextw",
"english",
"post http",
"search",
"observed dns",
"query",
"sinkhole cookie",
"malware",
"possible",
"win32",
"updater",
"write",
"next",
"found",
"ip address",
"domain",
"name servers",
"unknown ns",
"ip whois",
"registrar",
"cloudflare",
"title",
"passive dns",
"urls",
"files",
"location united",
"asn as14618",
"bq dec",
"virtool",
"backdoor",
"checkin",
"ipv4 add",
"trojan",
"dynamicloader",
"msie",
"windows nt",
"slcc2",
"media center",
"unknown",
"show",
"internal",
"encrypt",
"veailmboprd",
"dns query",
"wow64",
"gecko http",
"entries",
"medium",
"ransom",
"khtml",
"gecko",
"delete",
"installer",
"win32cve may",
"america flag",
"overview ip",
"asn as20940",
"expiration",
"url https",
"no expiration",
"url http",
"pulse show",
"type indicator",
"role title",
"related pulses",
"record value",
"domain xn"
],
"references": [
"HTTPS://BeeLineRouter.Net",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"https://appleid.xn--appe-70a.com/",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://vgt.pl/r.n%20-",
"8-25-220-162-static.reverse.queryfoundry.net",
"queryfoundry.net",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"0-209-98-172-static.reverse.queryfoundry.net",
"154-143-182-107-static.reverse.queryfoundry.net",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"167-16-68-38-static.reverse.queryfoundry.net",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"177-231-69-38-static.reverse.queryfoundry.net",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"237-189-251-104-static.reverse.queryfoundry.net",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"181-135-182-107-static.reverse.queryfoundry.net",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"67-228-69-38-static.reverse.queryfoundry.net",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://195-214-98-172-static.reverse.queryfoundry.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Simda",
"display_name": "Simda",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
},
{
"id": "GandCrab Ransomware",
"display_name": "GandCrab Ransomware",
"target": null
},
{
"id": "Win.Virus.Expiro",
"display_name": "Win.Virus.Expiro",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
}
],
"attack_ids": [
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1049,
"URL": 5839,
"hostname": 1944,
"FileHash-SHA256": 3634,
"FileHash-MD5": 310,
"FileHash-SHA1": 295,
"CVE": 2,
"email": 15,
"SSLCertFingerprint": 2
},
"indicator_count": 13090,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 148,
"modified_text": "150 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692fdb10627488a886ec6f8f",
"name": "Apple \u2022 Gamarue | Fully compromised iOS | Ahmanm , Tulach , Sabey and ?",
"description": "Device testing. Calling Apple : scam pop ups, apple advisors ,emails, screen shares. Calling : State and Government offices : scam receptionists , investigators, dropped calls, connect without ringing. Calling businesses: routed to scam to scammers. | Apps : all fake. random data. \n\nAligned with same attackers listed. Indicator deletion and attorney caught hijacking. \n\nCannot open LevelBlue Indicators on affected. device. Device can create a mini pulse. \n,",
"modified": "2026-01-02T05:01:36.144000",
"created": "2025-12-03T06:39:12.995000",
"tags": [
"united",
"servers",
"data upload",
"extraction",
"sc data",
"boot",
"techniques none",
"modules",
"logon autostart",
"execu",
"privilege",
"process",
"evasion",
"search",
"info",
"techniques low",
"execution flow",
"injection",
"apple",
"rootkit",
"hybrid analysis",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"a061s.exe",
"tulach",
"christopher p ahmanm",
"passive dns",
"urls",
"url add",
"http",
"files domain",
"files related",
"pulses otx",
"virustotal",
"foundry",
"helix",
"mapkit",
"hacking",
"denver",
"retaliation",
"redirect",
"no server",
"reroute",
"scammers",
"coconut island",
"brain sabey",
"dns requests",
"domain address",
"contacted hosts",
"t1480 execution",
"file defense"
],
"references": [
"getsupport.apple.com\t \u2022 apple.com",
"Matches rule Registry Modification to Hidden File Extension by frack113",
"Matches rule Msiexec Initiated Connection by frack113",
"Matches rule Creation of an Executable by an Executable by frack113",
"Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Tulach \u2022 114.114.114.114",
"http://foundry2-lbl.dvr.dn2.n-helix.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan/Win32.Gamarue.C1976125",
"display_name": "Trojan/Win32.Gamarue.C1976125",
"target": null
},
{
"id": "Trojan.GenericKDZ.93839",
"display_name": "Trojan.GenericKDZ.93839",
"target": null
},
{
"id": "Tulach Malware",
"display_name": "Tulach Malware",
"target": null
},
{
"id": "Trojan.MyDoom/Mudrop",
"display_name": "Trojan.MyDoom/Mudrop",
"target": null
},
{
"id": "Trojan.Win.Small",
"display_name": "Trojan.Win.Small",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1401",
"name": "Device Administrator Permissions",
"display_name": "T1401 - Device Administrator Permissions"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
}
],
"industries": [
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 413,
"FileHash-MD5": 14,
"FileHash-SHA1": 4,
"URL": 1321,
"domain": 219,
"email": 3,
"FileHash-SHA256": 696
},
"indicator_count": 2670,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "151 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "687992eceac6f12e9cebd65f",
"name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
"description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
"modified": "2025-12-28T19:04:27.449000",
"created": "2025-07-18T00:18:50.968000",
"tags": [
"Spyware",
"Trojan",
"Pegasus",
"DNS",
"Graphite",
"Paragon",
"NSO",
"NSO Group",
"Security",
"Samsung",
"Google",
"Amazon",
"HP",
"Cloudflare",
"Endgame",
"Europe",
"Espionage",
"Malware",
"Campaign",
"Civil",
"People",
"Civilians",
"Crime",
"Hackers",
"Sony",
"Wix",
"Mobileye",
"Skynet",
"Android",
"iOS",
"Mac",
"Windows",
"Microsoft",
"Linux",
"Mirai",
"Berbew",
"Trojan Downloader",
"html_smuggling",
"FormBook",
"stealer"
],
"references": [],
"public": 1,
"adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"targeted_countries": [
"United States of America",
"Australia",
"Canada",
"Denmark",
"Finland",
"Germany",
"Ireland",
"Lithuania",
"Spain",
"Poland",
"Romania",
"United Arab Emirates",
"Ukraine",
"Taiwan",
"Sweden",
"Norway",
"Luxembourg"
],
"malware_families": [
{
"id": "Pegasus for Android - MOB-S0032",
"display_name": "Pegasus for Android - MOB-S0032",
"target": null
},
{
"id": "Pegasus for iOS - S0289",
"display_name": "Pegasus for iOS - S0289",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "Graphite (Pegasus variant)",
"display_name": "Graphite (Pegasus variant)",
"target": null
},
{
"id": "Paragon (Pegasus variant)",
"display_name": "Paragon (Pegasus variant)",
"target": null
},
{
"id": "Backdoor:Linux/Mirai",
"display_name": "Backdoor:Linux/Mirai",
"target": "/malware/Backdoor:Linux/Mirai"
},
{
"id": "Mirai (Windows)",
"display_name": "Mirai (Windows)",
"target": null
},
{
"id": "TrojanDownloader:Linux/Mirai",
"display_name": "TrojanDownloader:Linux/Mirai",
"target": "/malware/TrojanDownloader:Linux/Mirai"
},
{
"id": "Trojan:JS/Berbew",
"display_name": "Trojan:JS/Berbew",
"target": "/malware/Trojan:JS/Berbew"
},
{
"id": "ALF:Backdoor:JAVA/Webshell",
"display_name": "ALF:Backdoor:JAVA/Webshell",
"target": null
},
{
"id": "ALF:Backdoor:PowerShell/ReverseShell",
"display_name": "ALF:Backdoor:PowerShell/ReverseShell",
"target": null
},
{
"id": "Pegasus for Mac",
"display_name": "Pegasus for Mac",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
"target": null
},
{
"id": "XLoader for iOS - S0490",
"display_name": "XLoader for iOS - S0490",
"target": null
},
{
"id": "Starfighter (Javascript)",
"display_name": "Starfighter (Javascript)",
"target": null
},
{
"id": "Careto",
"display_name": "Careto",
"target": null
},
{
"id": "#Lowfi:Exploit:Java/CVE-2012-0507",
"display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
"target": null
},
{
"id": "Zeroaccess - S0027",
"display_name": "Zeroaccess - S0027",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/RemoteShell",
"display_name": "#HSTR:HackTool:Win32/RemoteShell",
"target": null
},
{
"id": "#LowfiTrojan:HTML/Iframe",
"display_name": "#LowfiTrojan:HTML/Iframe",
"target": "/malware/#LowfiTrojan:HTML/Iframe"
},
{
"id": "HTML Smuggling",
"display_name": "HTML Smuggling",
"target": null
},
{
"id": "ALF:HTML/Phishing",
"display_name": "ALF:HTML/Phishing",
"target": "/malware/ALF:HTML/Phishing"
},
{
"id": "Pegasus RDP module for Windows",
"display_name": "Pegasus RDP module for Windows",
"target": null
},
{
"id": "#Lowfi:HSTR:Win32/MediaDownloader",
"display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
"target": null
}
],
"attack_ids": [
{
"id": "T1218.001",
"name": "Compiled HTML File",
"display_name": "T1218.001 - Compiled HTML File"
},
{
"id": "T1192",
"name": "Spearphishing Link",
"display_name": "T1192 - Spearphishing Link"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1454",
"name": "Malicious SMS Message",
"display_name": "T1454 - Malicious SMS Message"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1553.004",
"name": "Install Root Certificate",
"display_name": "T1553.004 - Install Root Certificate"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1476",
"name": "Deliver Malicious App via Other Means",
"display_name": "T1476 - Deliver Malicious App via Other Means"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1021.001",
"name": "Remote Desktop Protocol",
"display_name": "T1021.001 - Remote Desktop Protocol"
},
{
"id": "T1021.006",
"name": "Windows Remote Management",
"display_name": "T1021.006 - Windows Remote Management"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1059.004",
"name": "Unix Shell",
"display_name": "T1059.004 - Unix Shell"
},
{
"id": "T1094",
"name": "Custom Command and Control Protocol",
"display_name": "T1094 - Custom Command and Control Protocol"
},
{
"id": "T1088",
"name": "Bypass User Account Control",
"display_name": "T1088 - Bypass User Account Control"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1596.001",
"name": "DNS/Passive DNS",
"display_name": "T1596.001 - DNS/Passive DNS"
},
{
"id": "T1596.004",
"name": "CDNs",
"display_name": "T1596.004 - CDNs"
},
{
"id": "T1563.002",
"name": "RDP Hijacking",
"display_name": "T1563.002 - RDP Hijacking"
},
{
"id": "T1019",
"name": "System Firmware",
"display_name": "T1019 - System Firmware"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1566.001",
"name": "Spearphishing Attachment",
"display_name": "T1566.001 - Spearphishing Attachment"
}
],
"industries": [
"Civil",
"People",
"Civilians"
],
"TLP": "green",
"cloned_from": null,
"export_count": 375,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 7,
"follower_count": 0,
"vote": 0,
"author": {
"username": "privacynotacrime",
"id": "349346",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 218783,
"CIDR": 14,
"FileHash-MD5": 1558,
"domain": 171413,
"email": 10,
"hostname": 126790,
"FileHash-SHA256": 135215,
"CVE": 7,
"IPv4": 5987,
"FileHash-SHA1": 1386,
"IPv6": 289
},
"indicator_count": 661452,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "155 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692897a64c0e255409b5a67e",
"name": "Frost Security | Attorneys | Government | Crazy",
"description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.",
"modified": "2025-12-27T17:01:06.155000",
"created": "2025-11-27T18:25:42.570000",
"tags": [
"active",
"type win32",
"exe size",
"first seen",
"malicious avg",
"win32",
"gdata",
"dynamicloader",
"fe ff",
"high",
"write c",
"data",
"x00bx00",
"uswv",
"write",
"redline",
"stream",
"guard",
"malware",
"push",
"local",
"crazyfrost",
"adversarial",
"hacker",
"extraction",
"enter sc",
"data upload",
"extre data",
"included iocs",
"url http",
"url https",
"include review",
"exclude sugges",
"frost security",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"process details",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"spawns",
"defense evasion",
"t1480 execution",
"signing defense",
"united",
"flag",
"contacted",
"http traffic",
"file defense",
"mitre att",
"ck techniques",
"evasion att",
"belize",
"div div",
"passive dns",
"link",
"ipv4 add",
"url analysis",
"urls",
"files",
"meta",
"ddos",
"indicators show",
"search",
"type indicator",
"role title",
"added active",
"related pulses",
"hostname",
"types",
"hosanna",
"x show",
"ck ids",
"t1060",
"run keys",
"startup",
"folder",
"t1036",
"capture",
"cookie",
"palantir",
"indicator role",
"active related",
"description",
"trump supporter",
"types of",
"germany",
"china",
"netherlands",
"https",
"notice",
"billions",
"stop",
"boobs130432 no",
"expiration",
"location poland",
"asn as29522",
"learn more",
"domain",
"foundry",
"hallrender",
"brian sabey",
"tam legal",
"christopher p ahmann",
"palantir",
"quasi government",
"pentagon"
],
"references": [
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"http://advocate-smyslova.ru/tsara-brashears/",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"http://orangeporntube.net/tsara-brashears.html",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://videolal.com/tsara-brashears-dead.html",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"http://www.tryporn.net/seach/tsara-brashears/",
"https://alohatube.xyz/search/tsara-brashearsL",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"http://orangeporntube.net/tsara-brashears.html",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"https://youjizz.sex/tsara-brashears.html",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"https://www.xvxx.me/search/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/tsara-brashear",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"http://www.bukaporn.net/trend/tsara-brashears/",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"https://mom2fuck.mobi/tsara-brashears.html",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"Targeting Tsara Brasheras and associated",
"Targeting Candace Owens"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1116",
"name": "Code Signing",
"display_name": "T1116 - Code Signing"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1051",
"name": "Shared Webroot",
"display_name": "T1051 - Shared Webroot"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1085",
"name": "Rundll32",
"display_name": "T1085 - Rundll32"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1506",
"name": "Web Session Cookie",
"display_name": "T1506 - Web Session Cookie"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [
"Government",
"Defense",
"Healthcare"
],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3709,
"hostname": 1109,
"FileHash-SHA256": 2872,
"FileHash-MD5": 214,
"FileHash-SHA1": 203,
"domain": 557
},
"indicator_count": 8664,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "156 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6920c43c3772bb24f26f70cc",
"name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun",
"description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.",
"modified": "2025-12-21T18:01:07.268000",
"created": "2025-11-21T19:57:48.145000",
"tags": [
"dynamicloader",
"write c",
"write",
"high",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"code",
"malware",
"defender",
"medium",
"binary file",
"heavensgate",
"bochs",
"dynamic",
"td td",
"td tr",
"united",
"a td",
"a domains",
"dynamic dns",
"static dns",
"dd wrt",
"twitter",
"trojan",
"trojandropper",
"null",
"enough",
"simple",
"click",
"easy",
"premium",
"associated urls",
"server response",
"google safe",
"results nov",
"avast avg",
"11.21.2025",
"11.20.2025",
"borland delphi",
"pe32",
"intel",
"ms windows",
"inno setup",
"win32 exe",
"pecompact",
"delphi generic",
"pe32 compiler",
"dark comet",
"dark gate",
"glassworm",
"md5 code",
"data",
"porkbun llc",
"windows match",
"getprocaddress",
"peb idrdata",
"match peb",
"t1547",
"t1059 t1112",
"shared modules",
"t1129",
"boot",
"logon autostart",
"execu",
"t1134 boot",
"encoding",
"capture e1113",
"file attributes",
"analysis ob0001",
"b0001 software",
"virtual machine",
"detection b0009",
"analysis ob0002",
"ob0003 screen",
"windows get",
"check",
"encode",
"check internet",
"wininet set",
"clear file",
"enumerate gui",
"get hostname",
"get keyboard",
"set registry",
"find",
"capture",
"url http",
"consolefoundry",
"console foundry",
"foundry",
"malware catalog tree",
"autorun keys",
"modification",
"alexander karp",
"peter theil",
"christoper ahmann",
"christopher pool",
"mercedes",
"apple",
"palantir",
"adversarial",
"adversaries",
"hostile",
"quasi",
"empty hash",
"denver",
"mal_xred_backdoor",
"backdoor",
"xred",
"brian sabey",
"first-send-petikvx",
"stop",
"glassworm",
"elex",
"darkgate",
"dark-comet",
"search",
"entries",
"show",
"yara detections",
"icmp traffic",
"rtf file",
"top source",
"top destination",
"format",
"host",
"copy",
"next",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"found",
"access att",
"font",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"ascii text",
"pattern match",
"sha256",
"mitre att",
"title",
"meta",
"hybrid",
"local",
"path",
"strings",
"body",
"contact",
"trace",
"form",
"bitcoin",
"core",
"jeffrey reimer",
"exe infection",
"cve",
"porn"
],
"references": [
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"Alerts: packer_unknown",
"Malicious IP Contacted: 69.42.215.252",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"http://freedns.afraid.org/images/apple.gif",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"http://consolefoundry.date/one/gate.php",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Emotet-9850453",
"display_name": "Win.Trojan.Emotet-9850453",
"target": null
},
{
"id": "Win.Trojan.BlackNetRAT-7838854-0",
"display_name": "Win.Trojan.BlackNetRAT-7838854-0",
"target": null
},
{
"id": "Win.Dropper.Nanocore-10021490-0",
"display_name": "Win.Dropper.Nanocore-10021490-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Packed.Remcos-10024510-0",
"display_name": "Win.Packed.Remcos-10024510-0",
"target": null
},
{
"id": "Code Overlap",
"display_name": "Code Overlap",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "PSW:Win32/VB.CU",
"display_name": "PSW:Win32/VB.CU",
"target": "/malware/PSW:Win32/VB.CU"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1541",
"name": "Foreground Persistence",
"display_name": "T1541 - Foreground Persistence"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.002",
"name": "File Transfer Protocols",
"display_name": "T1071.002 - File Transfer Protocols"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1592",
"name": "Gather Victim Host Information",
"display_name": "T1592 - Gather Victim Host Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1078.004",
"name": "Cloud Accounts",
"display_name": "T1078.004 - Cloud Accounts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 460,
"FileHash-SHA1": 437,
"FileHash-SHA256": 4483,
"SSLCertFingerprint": 2,
"URL": 6487,
"hostname": 1772,
"domain": 652,
"CVE": 3,
"email": 5
},
"indicator_count": 14301,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "162 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68eff0848071708f9ee0c0bd",
"name": "Gamarue \u2022 G3nasom\u2022 Simda\u2022 Ganelp affecting Assurant and T-Mobile Part 3",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T19:05:40.466000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efee5ba882db423d3bad8f",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "199 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68efee5ba882db423d3bad8f",
"name": "Assurant & T-Mobile BLYP Checkin ET MALWARE TROJAN \u2022 Kryptic",
"description": "",
"modified": "2025-11-14T17:02:12.746000",
"created": "2025-10-15T18:56:27.950000",
"tags": [
"ipv4",
"email abuse",
"email info",
"active related",
"passive dns",
"files related",
"related tags",
"none google",
"external",
"present aug",
"present sep",
"present jun",
"present jul",
"present oct",
"ipv4 https",
"crosscountry",
"mortgagefamily",
"port",
"read c",
"destination",
"high",
"intel",
"ms windows",
"stream",
"explorer",
"write",
"malware",
"united",
"asnone",
"et trojan",
"windows nt",
"suspicious",
"win64",
"zune",
"et",
"netherlands",
"segoe ui",
"found content",
"length",
"content type",
"ipv4 add",
"pulse pulses",
"urls",
"error",
"ip address",
"pulse submit",
"url analysis",
"files",
"domain",
"ip related",
"pulses none",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"spawns",
"command",
"found",
"defense evasion",
"ssl certificate",
"execution",
"path",
"secure",
"show technique",
"mitre att",
"ck matrix",
"maxage31536000",
"expirestue",
"brand",
"microsoft edge",
"date",
"cookie",
"sha1",
"ascii text",
"sha256",
"pattern match",
"hybrid",
"local",
"click",
"strings",
"show process",
"flag",
"programfiles",
"command decode",
"comspec",
"model",
"general",
"starfield",
"encrypt",
"iframe",
"development att",
"backdoor",
"win32",
"reverse dns",
"location india",
"india asn",
"trojan",
"mtb win32"
],
"references": [
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"you.are.poor.i.got.trap.money?",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"Romania",
"South Africa"
],
"malware_families": [
{
"id": "BC.Win.Packer.Troll-11",
"display_name": "BC.Win.Packer.Troll-11",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Crypt3.BOJE",
"display_name": "Crypt3.BOJE",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.OV!MTB",
"display_name": "Trojan:Win32/Glupteba.OV!MTB",
"target": "/malware/Trojan:Win32/Glupteba.OV!MTB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "ProRat",
"display_name": "ProRat",
"target": null
},
{
"id": "Backdoor:Win32/Prorat.L",
"display_name": "Backdoor:Win32/Prorat.L",
"target": "/malware/Backdoor:Win32/Prorat.L"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan",
"display_name": "Win32:Trojan",
"target": null
},
{
"id": "DanaBot",
"display_name": "DanaBot",
"target": null
},
{
"id": "Atros3.AHFB",
"display_name": "Atros3.AHFB",
"target": null
},
{
"id": "Crypt5.BBYH",
"display_name": "Crypt5.BBYH",
"target": null
},
{
"id": "Crypt4.AHSW",
"display_name": "Crypt4.AHSW",
"target": null
},
{
"id": "Crypt3.COIZ",
"display_name": "Crypt3.COIZ",
"target": null
},
{
"id": "Crypt3.CMTM",
"display_name": "Crypt3.CMTM",
"target": null
},
{
"id": "Crypt3.CKTO",
"display_name": "Crypt3.CKTO",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXGR",
"display_name": "Crypt3.BXGR",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BOQD",
"display_name": "Crypt3.BOQD",
"target": null
},
{
"id": "Crypt3.BLXP",
"display_name": "Crypt3.BLXP",
"target": null
},
{
"id": "Crypt3.BOIU",
"display_name": "Crypt3.BOIU",
"target": null
},
{
"id": "Inject2.BHBW",
"display_name": "Inject2.BHBW",
"target": null
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
}
],
"industries": [
"Telecommunications",
"Insurance"
],
"TLP": "white",
"cloned_from": "68efedf37890e1b32d60eb55",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10010,
"FileHash-MD5": 150,
"FileHash-SHA1": 144,
"FileHash-SHA256": 2869,
"domain": 2046,
"email": 6,
"hostname": 3705,
"SSLCertFingerprint": 19
},
"indicator_count": 18949,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "199 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie",
"192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
"remotewd.com device local",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/",
"nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com",
"http://orangeporntube.net/tsara-brashears.html",
"passwd",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>",
"Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
"newsyslog.conf",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"IP\u2019s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56",
"authorization_lacont",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html",
"http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php",
"https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png",
"https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432",
"8-25-220-162-static.reverse.queryfoundry.net",
"postfix-files",
"manpaths",
"master.cf.proto",
"chkpasswd",
"http://mail.thyrsus.com/ [phishing]",
"Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets",
"autofs.conf",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/",
"mail.rc",
"https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f",
"httpd-ssl.conf",
"audit_warn",
"Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
"AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"IP\u2019s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Alerts: stealth_window packer_entropy uses_windows_utilities",
"http://51-235-245-104-static.reverse.queryfoundry.net/",
"http://www.tryporn.net/seach/tsara-brashears/",
"BGP Hurricane Electric seen",
"makedefs.out",
"checkpw",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://webmail.police.govmm.org/owa/",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"Zergeca related URLs , URI\u2019s , Domains, inaccessible files referenced",
"httpd-dav.conf",
"syslog.conf",
"http://api.steampowered.com/http:/api.steampowered.com/ISteamUser/GetPlayerSummaries/v2/?key=C48A57D233D635FB8F3F10A436ECC1C6&steamids=76561198381531427 [Apple ' Get Player Summary]",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"httpd.conf",
"http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"com.apple.coreduetd",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
"http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry",
"caselaw.lawlink.com",
"sshd",
"com.apple.contacts.ContactsAutocomplete",
"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com",
"pornhub-e.com \u2022 www.pornhub.com \u2022",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"audit_user",
"Alerts: queries_user_name queries_keyboard_layout queries_locale_api",
"other",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"https://rdweb.datafoundry.com/",
"http://consolefoundry.date/one/gate.php",
"Indicators seen may have affected a few OTX users. Is ongoing",
"johndoe.conf",
"http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'",
"TLS_LICENSE",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
"AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
"https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com",
"https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html",
"AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
"proxy-html.conf",
"cupsd.conf",
"ftpusers",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
"com.apple.screensharing.agent.launchd",
"https://youjizz.sex/tsara-brashears.html",
"181-135-182-107-static.reverse.queryfoundry.net",
"relocated",
"com.apple.slapconfig.conf",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot",
"https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies",
"http://181-135-182-107-static.reverse.queryfoundry.net/",
"http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing",
"https://www.vgt.pl/94.152.152.233/images/logo.png",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing",
"Yara Detections : compromised_site_redirector_fromcharcode",
"com.apple.mkb",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"audit_class",
"asl.conf",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections",
"aliases",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://alohatube.xyz/search/tsara-brashearsL",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"http://www.bukaporn.net/trend/tsara-brashears/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family",
"Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below",
"group",
"31.6.16.33\t\u2022 network.target [Found in Zergeca Botnet]",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"https://www.sweetheartvideo.com/tsara-brashear",
"shells",
"http://237-189-251-104-static.reverse.queryfoundry.net/",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js",
"http://167-16-68-38-static.reverse.queryfoundry.net/",
"httpd-default.conf",
"Some may may find this content is very disturbing and offensive",
"multi-user.target \u2022 ootheca.top \u2022 network.target \u2022 ootheca.pw [Found in Zergeca Botnet]",
"php7.conf",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/",
"Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.",
"https://hybrid-analysis.com/sample/87ee92129f42f32417ae21cab1a2bc98adc48ee692a20e1ab3c5277d67dd12e5/69312056ce09855ecd0e3069",
"Potentially Pegasus related . Found to be affecting an IOS device",
"Yara Detections: MS_Visual_Basic_6_0",
"http://videolal.com/tsara-brashears-dead.html",
"http://www.anyxxxtube.net/search-porn/tsara-brashears/",
"http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.",
"67-228-69-38-static.reverse.queryfoundry.net",
"auto_home",
"http://212.33.237.86/images/1/report.php",
"sudo",
"http://advocate-smyslova.ru/tsara-brashears/",
"LICENSE",
"login.term",
"https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png",
"tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"csh.login",
"http://117-114-251-162-static.reverse.queryfoundry.net/",
"transport",
"http://227-98-248-162-static.reverse.queryfoundry.net/",
"you.are.poor.i.got.trap.money?",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"com.apple.install",
"Yara Detections: Armadillov171",
"Alerts: console_output antivm_memory_available pe_features",
"http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>",
"gettytab",
"cups",
"httpd-autoindex.conf",
"https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"com.apple.xscertd.conf",
"Unknown Persons impersonating Private Investigators (plural)",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"rmtab",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com",
"http://www.anyxxxtube.net/search-porn/tsara-brashears",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"http://p2d.josht.ca/ \u2022 http://p2d.josht.ca/assets/content-delivery/depots/download/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"84.54.51.82 \u2022 http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet]",
"http://201-191-251-104-static.reverse.queryfoundry.net/",
"Targeting Candace Owens",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"http://195-214-98-172-static.reverse.queryfoundry.net/",
"https://www.xvxx.me/search/tsara-brashears/",
"http://207-214-98-172-static.reverse.queryfoundry.net/",
"Mark Brian Sabey",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
"Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"com.apple.performance",
"https://www.mumuplayer.com/redirect/customerservice/fB)y",
"audit_event",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"AS15169 google llc | 8.8.8.8\t| dns.google | United States",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"cups-files.conf.default",
"www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>",
"Victim silenced. Struck by Car Driven by male police let walk",
"https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"zprofile",
"screensaver_la",
"Contacted Domains: tick.usno.navy.mil www.thinkman.com",
"find.codes",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"screensaver_aks",
"https://www.vgt.pl/font/roboto/Roboto-Medium.ttf",
"http://freedns.afraid.org/images/apple.gif",
"main.cf",
"https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles",
"Believed to be originating from Germany and Russia",
"porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"http://josht.ca/portfolio/ \u2022 https://sa.josht.ca/ \u2022 https://test.josht.ca/ \u2022 https://p2d.josht.ca/api/depots/info/?depot=",
"networks",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"https://blackbox-exporter.lenovo-k8s.home.local.advena/",
"rc.common",
"com.apple.iokit.power",
"https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn",
"master.cf",
"ntp_opendirectory.conf",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
"eta-apple.com \u2022 006.ts.apple.com \u2022 012.ts.apple.com",
"Verification failure observed in automated verification handlers during sandbox replay.",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/",
"http://www.gdsl-pallemoebler.info/seach/tsara-brashears/",
"https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO",
"Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380",
"tsara-brashears-deadspin-twitter-suspended-account-help.ht",
"154-143-182-107-static.reverse.queryfoundry.net",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"nfs.conf",
"http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO",
"FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0",
"IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org",
"screensaver_ctk",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"IP\u2019s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"Matches rule Registry Modification to Hidden File Extension by frack113",
"Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]",
"https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies",
"man.conf",
"com.apple.MessageTracer",
"(excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007",
"httpd-vhosts.conf",
"deviceinbox.com",
"Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0]",
"sudo_local.template",
"https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com",
"444ea032708bb0d940de0ef72b944244 | credit msudosos",
"https://browntubeporn.com/tsara-brashearsAccept-Language",
"https://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"http://onlyindianporn2.com/videos/tsara-brashears/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"20.50.2.51 \u2022 https://hybrid-analysis.com/sample/903834f3326ee0dccde4c134fd51799ea728e7200e6b1d699a0500e6de276f79/68efd2a168a5e234250286cf",
"Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"screensaver_new_ctk",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"generic",
"http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/",
"com.apple.eventmonitor",
"IDS Detections: HackingTrio UA (Hello, World) \u2022 HTTP traffic on port 443 (POST)",
"mailbox.co.za",
"navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/",
"https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies",
"mpm.conf",
"getsupport.apple.com\t \u2022 apple.com",
"https://tamlegal.com/attorneys/christopher-p-ahmann/",
"205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
"8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/",
"http://142-232-245-104-static.reverse.queryfoundry.net/",
"vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl",
"http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html",
"Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.",
"http://foundry2-lbl.dvr.dn2.n-helix.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"blackbox-exporter.lenovo-k8s.home.local.advena.io",
"cups-files.conf",
"http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"locate.rc",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution",
"https://www.sweetheartvideo.com/tsara-brashears",
"http://177-231-69-38-static.reverse.queryfoundry.net/",
"https://dns.google/resolve?name=SELECT",
"Address shows an place of origin: Broomfield , Co",
"support.apple.com [nefarious]",
"screensaver",
"com.apple",
"http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html",
"www.opencandy.com",
"com.apple.mkb.internal",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"ASN AS27064 dod network information center",
"https://www.vgt.pl/font/fa/fontawesome-webfont.eot",
"Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
"ppa.launchpad.net [Apple open use]",
"http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833",
"Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"Crowdsourced IDS Below:",
"https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger",
"csh.logout",
"1click-uninstaller.informer.com [Apple - access PE]",
"https://www.datafoundry.com/category/news/press-releases/",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"httpd-mpm.conf",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Matches rule Creation of an Executable by an Executable by frack113",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"notify.conf",
"https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com",
"Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/",
"\u2018Can't access file\u2019[Found in Zergeca Botnet]",
"p2d.josht.ca \u2022 test.josht.ca \u2022 josht.ca \u2022 dev.josht.ca \u2022 pma.josht.ca \u2022 staging.josht.ca \u2022 http://dev.josht.ca/",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"screensaver_new_aks",
"https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
"http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/",
"IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com",
"0-209-98-172-static.reverse.queryfoundry.net",
"http://10-241-60-103-static.reverse.queryfoundry.net/",
"Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
"https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/",
"http://www.apple.com/certificateauthority/AppleApplicationIntegrationCA5G1.cer [Apple Ubuntu access]",
"cupsd.conf.default",
"afpovertcp.cfg",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432",
"Targeting Tsara Brasheras and associated",
"Malicious IP Contacted: 69.42.215.252",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"cbi.com",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"IP\u2019s Contacted: 192.124.249.187",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 com.apple",
"authorization_ctk",
"This pulse is so huge it\u2019s a mess. Will break down.",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"http://154-143-182-107-static.reverse.queryfoundry.net/",
"www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png",
"crypto-pool.fr",
"Unique rule identifier: This rule belongs to a private collection.",
"rc.netboot",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing, apple data collecting, malvertizing]",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"com.apple.authd",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Loads modules at runtime Looks up procedures from modules",
"https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia",
"Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access",
"zshrc",
"virtual",
"com.apple.mail",
"pf.os",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio",
"6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file)",
"audit_control.example",
"https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2",
"https://www.mumuplayer.com/redirect/customerservice/_wig",
"http://watchhers.net/index.php",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"httpd-multilang-errordoc.conf",
"http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
"canonical",
"csh.cshrc",
"bashrc",
"ttys",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"httpd-info.conf",
"https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895",
"http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl",
"https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz",
"psk.txt",
"irbrc",
"Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org",
"su",
"rtadvd.conf",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"https://www.datafoundry.com/data-center-contamination-control/",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
"snmp.conf",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40",
"http://49-116-251-162-static.reverse.queryfoundry./net/",
"Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
"Assurant \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022",
"https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login",
"HTTPS://BeeLineRouter.Net",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"IDS: Observed Suspicious UA (Hello, World)",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"AVDetections: Patched3_c.AKRV",
"access",
"Alerts: cape_detected_threat",
"IDS Detections: Mirai Variant User-Agent (Inbound) \u2022 HackingTrio UA (Hello, World)",
"https://www.hallrender.com/attorney/brian-sabey/Accept",
"Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"177-231-69-38-static.reverse.queryfoundry.net",
"hosts.equiv",
"HP_ENVY_6000_series__3D66E1_.ppd",
"Matches rule Msiexec Initiated Connection by frack113",
"Calls an API typically used to retrieve function addresses, load a resource T1129\tShared Modules\t Execution Adversaries may execute malicious payloads via loading shared modules. Learn more",
"authorization",
"fmx32.aig.com \u2022 167.230.105.81",
"http://vgt.pl/r.n%20-",
"https://cloudflare-dns.com/dns | cloudflare-dns.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing",
"paths",
"www.joewa.com",
"com.apple.cdscheduler",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL",
"auto_master",
"files.conf",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"http://68-178-128-104-static.reverse.queryfoundry.net/",
"https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS unlocker password cracker]",
"https://appleid.xn--appe-70a.com/",
"Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop",
"Abused Domains Contacted: xred.mooo.com freedns.afraid.org",
"Yara Detections: MacSync_AppleScript_Stealer , UPX ,",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/",
"screensaver_new",
"LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado",
"profile",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"https://www.sweetheartvideo.com/scenes?models=63710",
"custom_header_checks",
"https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354",
"https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join",
"com.apple.slapd.conf",
"http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...",
"IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"http://findbetterresults.com/Merino_Wool_Sweater.cfm?domain=forever-maroc.info&fp=8hY5xppsJcgtsARaT7WA9YWFkv73AgUQdyA1jnNh+yA3h9O8vZwUKqaru+BK8mHlpfLdKQ3uyLeEMmr67cTpI5enUnehh8e08wXWZNWzuUuirPDdezatbM1egtU/y9NvL+vDq1mMMFh/mM2oY2OTk3Q55I/HPDvMg9G5tDB7B2NI1ORnlbH9It49w5nNtE8GPJO62ZrvE7op4RE1uejyAg==&yep=tn+cv4IO28h1WrEcdzQlEs/jm101ce3N5Yd+dISS3zi1qqYLL/bRey5jbLHFBau3HlE+l5mG3OfHGMjIhgUcSjmzkFmO8xF5WIF5bJ3TAo5F28EHKI1Zq/4skZteAEAU5z84hISeRSzcOq5BOh6KqXkJ975lpWA3dnOl6D4sRQWtda/GdACNYKHuxXk56T3vAIxgvjIsOYAJmKp5S",
"http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"https://www.vgt.pl/favicon.ico",
"https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
"Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep",
"screensaver_new_la",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"bounce.cf.default",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
"Crypt3.BOJE \u2022 https://otx.alienvault.com/indicator/file/b7a2657fc02c6dea2c4f99c80c6a938d3b6b2b76767d27ff837276ca46851984",
"https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot",
"https://wallpapers-nature.com/tsara-brashears/urlscan-io",
"IDS Detections: MVPower DVR Shell UCE \u2022 HackingTrio UA (Hello, World)",
"resolv.conf",
"I bring up the personal nature of the crime because a delete service has been used",
"https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot",
"main.cf.default",
"Muslims have built, supported, and assisted. or Muslims: Support and Solidarity",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"authorization_aks",
"Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading",
"https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022",
"IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST",
"237-189-251-104-static.reverse.queryfoundry.net",
"Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)",
"Alerts: packer_unknown",
"snmp.conf.default",
"Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi",
"Ronda Cordova",
"bashrc_Apple_Terminal",
"Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi",
"http://0-209-98-172-static.reverse.queryfoundry.net/",
"www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512",
"Assurant \u2022 BC.Win.Packer.Troll-11 \u2022 https://otx.alienvault.com/indicator/domain/assurant.com",
"https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/",
"main.cf.proto",
"IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.",
"TrojanDownloader:Win32/Umbald.A\tMalware infection",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"master.cf.default",
"Quasi Government Case",
"Email: d4@thinkman.com",
"\u2018Can't access file\u2019 Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca",
"Tulach \u2022 114.114.114.114",
"com.apple.login.guest",
"kern_loader.conf",
"http://blackbox-exporter.lenovo-k8s.home.local.advena.io/",
"hosts",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"xtab",
"10-cryptex",
"http://81-26-68-38-static.reverse.queryfoundry.net/",
"Since September 2023, according to an analysis by cyber security firm XLab CTIA.",
"https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar",
"i\u0628\u0627\u0645\u0633\u0644\u0645\u0648\u0646 \u0644\u0645\u0647\u0645\u0645\u0644\u0645\u0645\u0646\u0627\u0645\u0635\u0646\u0627\u0621\u0648\u0627\u0645\u0645\u0633\u0627\u0646\u062f | \u0645\u0637\u0639\u0645+ \u0645\u0645\u0627\u0645\u0627\u0645",
"Melvin Sabey",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"167-16-68-38-static.reverse.queryfoundry.net",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"authorization_la",
"ntp.conf",
"smbd",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"protocols",
"Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
"Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
"pf.conf",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"nsmb.conf",
"Christopher P \u2018Buzz\u2019 Ahmann",
"com.apple.networking.boringssl",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer",
"https://www.sweetheartvideo.com/model/63710/brandi-love",
"Denver Police Department Major Crimes closed investigation",
"http://36-243-60-103-static.reverse.queryfoundry.net/",
"DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
"header_checks",
"Crowdsourced SIGMA Below:",
"https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com",
"httpd-manual.conf",
"httpd-languages.conf",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"httpd-userdir.conf",
"queryfoundry.net",
"apple.k8s.joewa.com \u2022 joewa.com \u2022 http://apple.k8s.joewa.com/ \u2022 https://apple.k8s.joewa.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"zshrc_Apple_Terminal",
"login",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"rpc",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"Updated | What\u2019s left after theft",
"https://mom2fuck.mobi/tsara-brashears.html",
"racoon.conf",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
"DragonForce Hacker Group Malaysia, Al-Arqam"
],
"malware_families": [
"Et trojan",
"Cl0p",
"Alf:trojan:powershell/dynamicloader",
"Pegasus for mac",
"#hstr:hacktool:win32/remoteshell",
"Psw:win32/vb.cu",
"Et",
"Skynet",
"#lowfi:hstr:win32/mediadownloader",
"Crypt4.ahsw",
"Trojandownloader:win32/umbald.a",
"Trojandownloader:linux/mirai",
"Crypt3.boqd\t\t inject2.bhbw",
"Hacktool",
"Graphite (pegasus variant)",
"Lockbit",
"Tulach malware",
"Atros.upk",
"Tons of malware",
"Worm:win32/autorun",
"Heur/unsec",
"Crypt3.coiz",
"Win.trojan.rootkit-4668",
"Win.malware.salat-10058846-0",
"Win.trojan.emotet-9850453",
"Mydoom",
"Tofsee",
"Jaik",
"Pegasus",
"Crypt3.ckto",
"Crypt3.bmvu",
"Backdoor:linux/mirai",
"Win.trojan.blacknetrat-7838854-0",
"Win.trojan.emotet-9850453-0",
"Crypt3.bxvc",
"Ransom:win32/makop",
"Paragon (pegasus variant)",
"Pws:win32/xport",
"Cve-2023-22518",
"Ms defender\talf:heraklezeval:trojan:win32/clipbanker",
"Crypt3.boqd",
"Win.dropper.nanocore-10021490-0",
"Crypt5.bbyh",
"Atros3.ahfb",
"Trojan.mydoom/mudrop",
"Careto",
"Quasar rat",
"Xloader for ios - s0490",
"Inject2.bhbw",
"Pegasus rdp module for windows",
"Trojan:win32/qshell",
"Pegasus for android - mob-s0032",
"Win.trojan.nanocore-5",
"Pegasus for ios - s0289",
"Lumma stealer",
"Crypt3.chzw",
"Alf:trojan:win32/formbook",
"Trojan.generickdz.93839",
"Html smuggling",
"Worm:win32/bloored.e",
"Gandcrab ransomware",
"Unix.trojan.mirai-7669677-0",
"Crypt3.cmtm",
"Crypt3.boiu",
"Ransomexx (elf)",
"Starfighter (javascript)",
"Zeroaccess - s0027",
"Trojan:js/berbew",
"Unix.trojan.mirai",
"Patched3_c.akrv",
"Zergeca",
"Win.trojan.adinstall-2",
"Porn revenge",
"Qakbot",
"Worm:win32/mofksys.rnd!mtb",
"Alf:html/phishing",
"Prorat",
"Other malware",
"Simda",
"Alf:backdoor:powershell/reverseshell",
"#lowfi:exploit:java/cve-2012-0507",
"Trojan:win32/tiggre!rfn",
"Worm:win32/autorun!atmn",
"Crypt3.bxgr",
"Win.trojan.vbgeneric-6735875-0",
"Cve-2025-20393",
"Win32:agent-alxe\\ [rtk]",
"Win.trojan.tofsee-7102058-0",
"Luhe.fiha.a",
"Cve-2018-10562",
"Cobalt strike",
"#lowfi:siga:trojandownloader:msil/genmaldow",
"Redline",
"Win32:malware-gen",
"#lowfitrojan:html/iframe",
"Win.packed.remcos-10024510-0",
"Trojan.win.small",
"Mirai (windows)",
"Trojanspy:win32/nivdort",
"#lowfidetectsvmware",
"Trojanspy",
"Alf:backdoor:java/webshell",
"Win32:trojan-gen",
"Trojan/win32.gamarue.c1976125",
"Trojan:win32/mydoom",
"Inject2.bive",
"Makop",
"Bc.win.packer.troll-11",
"Crypt3.boje",
"Backdoor:win32/prorat.l",
"Trojan.sagnt/r011c0dfs24",
"Alf:jasyp:trojandownloader:win32/smallagent!atmn",
"Crypt3.bxmj",
"Emotet",
"Cve-2024-6387",
"Crypt3.blxp",
"Trojan:win32/glupteba.ov!mtb",
"Win32:trojan",
"Win.virus.expiro",
"Danabot",
"Formbook",
"Trojan.downloader12.43161",
"Backdoor:win32/tofsee.t",
"Psw.generic13",
"Code overlap",
"Pua.optimizerpro/pcoptimizerpro",
"Dark power",
"#virtool:win32/obfuscator.adb"
],
"industries": [
"Military",
"Civilians",
"People",
"Civil",
"Defense",
"Healthcare",
"Insurance",
"Telecommunications",
"Government",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-05-17T15:52:35.396000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 28000,
"FileHash-SHA256": 48374,
"FileHash-MD5": 42596,
"FileHash-SHA1": 23243,
"hostname": 35654,
"URL": 75758,
"SSLCertFingerprint": 30,
"CVE": 7585,
"email": 316,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"URI": 5,
"IPv4": 574,
"Mutex": 1
},
"indicator_count": 288350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"URL": 5165,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"CVE": 1
},
"indicator_count": 17526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-05-16T00:08:35.224000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"URL": 3826,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10542,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "17 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc6c9f25c71625fb0b9e6",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2050,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-05-14T04:01:31.012000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2790,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "19 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d4442a0b5217c34bbcbd2d",
"name": "VirusTotal report\n for install.sh",
"description": "",
"modified": "2026-05-06T23:07:30.047000",
"created": "2026-04-06T23:39:22.105000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 43,
"FileHash-SHA1": 45,
"FileHash-SHA256": 1421,
"URL": 261,
"hostname": 73,
"domain": 235,
"email": 1
},
"indicator_count": 2079,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d44428ad43f231ff43e175",
"name": "VirusTotal report\n for install.sh",
"description": "",
"modified": "2026-05-06T23:07:30.047000",
"created": "2026-04-06T23:39:20.767000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 43,
"FileHash-SHA1": 45,
"FileHash-SHA256": 1421,
"URL": 261,
"hostname": 73,
"domain": 235,
"email": 1
},
"indicator_count": 2079,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "26 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "creeo.studio",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "creeo.studio",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780395003.6269426
}