{ "type": "Domain", "indicator": "crypto.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/crypto.com", "alexa": "http://www.alexa.com/siteinfo/crypto.com", "indicator": "crypto.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain crypto.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3351103058, "indicator": "crypto.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 19, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-06-01T00:38:49.108000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "35 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e7f5af6e96759df2850fbe", "name": "IOSCO I-SCAN financial regulators warnings (https://www.iosco.org/i-scan/)", "description": "The IOSCO platform \"https://www.iosco.org/i-scan/\" consolidates scam/fraud warnings and IoC from worldwide financial regulators.", "modified": "2026-05-31T04:56:42.856000", "created": "2025-03-29T13:29:19.213000", "tags": [ "phishing", "scam", "financial", "fake", "investment", "recovery" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 224, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14596, "email": 6980, "domain": 10828, "hostname": 7684 }, "indicator_count": 40088, "is_author": false, "is_subscribing": null, "subscriber_count": 167, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6b5db72b21e3d8990ad72", "name": "private", "description": "", "modified": "2026-05-20T23:09:29.909000", "created": "2026-04-20T23:25:15.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 212, "URL": 283, "hostname": 192, "FileHash-SHA256": 136, "FileHash-MD5": 121, "FileHash-SHA1": 117, "email": 13, "URI": 3 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672ab35bf473ce2dacd6c451", "name": "InQuest - 05-11-2024", "description": "", "modified": "2024-12-06T00:00:19.259000", "created": "2024-11-06T00:07:55.388000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "FileHash-MD5": 33, "URL": 474, "domain": 43, "hostname": 299, "FileHash-SHA1": 20 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67296341c2cf1ea0dcd07af6", "name": "InQuest - 04-11-2024", "description": "", "modified": "2024-12-05T00:01:00.059000", "created": "2024-11-05T00:13:53.185000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "URL": 481, "domain": 43, "FileHash-MD5": 33, "hostname": 301, "FileHash-SHA1": 20 }, "indicator_count": 1118, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672812847a9c534e9a56ce48", "name": "InQuest - 03-11-2024", "description": "", "modified": "2024-12-04T00:04:46.021000", "created": "2024-11-04T00:17:08.609000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6726c0f6d95b33af726583d1", "name": "InQuest - 02-11-2024", "description": "", "modified": "2024-12-03T00:01:44.191000", "created": "2024-11-03T00:16:54.875000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "545 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6725701ab2fe91b331357936", "name": "InQuest - 01-11-2024", "description": "", "modified": "2024-12-02T00:03:32.785000", "created": "2024-11-02T00:19:38.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "FileHash-MD5": 12, "URL": 409, "FileHash-SHA1": 2, "hostname": 298, "domain": 32 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67241e8c185ad2c3b5ead344", "name": "InQuest - 31-10-2024", "description": "", "modified": "2024-12-01T00:03:12.320000", "created": "2024-11-01T00:19:24.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "hostname": 287, "URL": 380, "domain": 20, "FileHash-SHA256": 343 }, "indicator_count": 1037, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4885e735b9e8ba94805bc", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "", "modified": "2024-09-05T06:51:42.608000", "created": "2024-01-15T01:20:30.730000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a429795adf468b427a3c8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2469, "URL": 6038, "FileHash-MD5": 169, "FileHash-SHA1": 157, "FileHash-SHA256": 3922, "CIDR": 2, "hostname": 2787, "email": 2, "CVE": 1 }, "indicator_count": 15547, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "633 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a429795adf468b427a3c8b", "name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com", "description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.", "modified": "2024-02-13T17:04:19.437000", "created": "2024-01-14T18:35:37.757000", "tags": [ "execution", "whois record", "contacted", "ssl certificate", "whois whois", "contacted urls", "copy", "historical ssl", "referrer", "urls url", "icmp", "malicious", "installer", "problems", "collections", "report", "phishing", "service tool", "greatness", "threat network", "emotet", "magniber", "startpage", "attack", "banker", "keylogger", "namecheap inc", "com laude", "ltd dba", "cloudflare", "porkbun llc", "ii llc", "csc corporate", "domains", "computer", "company limited", "first", "cloudflarenet", "google", "amazon02", "akamaias", "telecom italia", "utc submissions", "microsoftcorpas", "indonesia", "beijing gu", "appleaustin", "sucurisec", "amazonaes", "limited", "tsara brashears", "pornhub", "thebrotherssabey", "then brothers sabey", "brian sabey", "apple", "icloud", "apple engineering", "soc", "hacker", "teams", "malvertizing", "cyberthreat", "cyber crime", "data", "v3 serial", "number", "cgb stgreater", "ecc domain", "server ca", "subject public", "key info", "key algorithm", "ec oid", "remote", "remote attacker", "benjamin", "worm", "trojan", "win32", "trojanspy", "ransomware", "command and control", "cnc", "c2", "stealer", "password", "apple unlocker", "pornographers", "cyber stalking", "revenge rat", "masquerading", "scanning host", "phishing", "dns", "network", "cobalt strike", "mitre attack", "metro hacker", "t-mobile hacker", "stalker", "social engineering", "et", "torrent trecker", "view", "duckdns", "blackhat", "data center", "tracking", "illegal", "malware scripting", "malware spreader", "network rat", "multiple botnetworks" ], "references": [ "https://thebrotherssabey.wordpress.com/", "acam-mdn.apple.com", "beacons.bcp.gvt.com", "cpcontacts.webcamara.online", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "http://ti.hicloudcam.com", "http://alohatube.xyz/search/tsara-brashears", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://search.app.goo.gl/?ofl", "Worm:Win32/Benjamin", "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "applemusic-spotlight.myunidays.com", "nr-data.net", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "blackhat.store", "api.telegram.org", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Silk", "display_name": "Silk", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2462, "URL": 5950, "FileHash-MD5": 168, "FileHash-SHA1": 156, "FileHash-SHA256": 3901, "CIDR": 2, "hostname": 2766, "email": 2, "CVE": 1 }, "indicator_count": 15408, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61e775a55684b3f59e221162", "name": "Cybercrime Magazine - Page One For The Cybersecurity Industry", "description": "What the hell is going on here\n\n#cybercrimepodcast website #hostile #takeover or #Fraudulent?", "modified": "2022-01-21T01:49:51.363000", "created": "2022-01-19T02:21:25.571000", "tags": [ "date", "file sha256", "found", "nccat1", "nccat106", "oe5ccd32be", "ciso", "cybersecurity", "read article", "founder", "billion", "trillion", "report", "world", "women", "percent", "fortune", "click", "cyber", "team", "bank", "delta", "shark", "beyond", "phishing", "mind", "admiral", "pump", "podcast", "hacked", "crypto", "keeper", "back", "into" ], "references": [ "https://cybersecurityventures.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 68, "domain": 23, "URL": 408, "FileHash-SHA256": 125, "FileHash-MD5": 4 }, "indicator_count": 628, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab", "https://labs.inquest.net/iocdb", "acam-mdn.apple.com", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "http://alohatube.xyz/search/tsara-brashears", "https://x.com/NorrisN60014/status/1836092481978486802", "applemusic-spotlight.myunidays.com", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "blackhat.store", "api.telegram.org", "beacons.bcp.gvt.com", "https://search.app.goo.gl/?ofl", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "URLscanio, FSio, vT", "FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5", "https://viz.greynoise.io/query/AS4611", "https://viz.greynoise.io/query/AS45090", "cpcontacts.webcamara.online", "http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://cybersecurityventures.com/", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php", "https://n0paste.eu/UH6n5pD/", "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://urlscan.io/asn/AS45090", "https://thebrotherssabey.wordpress.com/", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "Worm:Win32/Benjamin", "FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "http://ti.hicloudcam.com", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://urlscan.io/asn/AS4611", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be", "nr-data.net", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tulach", "#lowfi:siga:trojanspy:msil/keylogger", "Silk", "Worm:win32/benjamin", "Emotet", "Sabey" ], "industries": [ "Finance", "Telecommunications", "Technology", "Healthcare", "Transportation", "Hospitality", "Retail", "Education", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 19, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-06-01T00:38:49.108000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 5 }, "indicator_count": 18414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "35 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e7f5af6e96759df2850fbe", "name": "IOSCO I-SCAN financial regulators warnings (https://www.iosco.org/i-scan/)", "description": "The IOSCO platform \"https://www.iosco.org/i-scan/\" consolidates scam/fraud warnings and IoC from worldwide financial regulators.", "modified": "2026-05-31T04:56:42.856000", "created": "2025-03-29T13:29:19.213000", "tags": [ "phishing", "scam", "financial", "fake", "investment", "recovery" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 224, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14596, "email": 6980, "domain": 10828, "hostname": 7684 }, "indicator_count": 40088, "is_author": false, "is_subscribing": null, "subscriber_count": 167, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6b5db72b21e3d8990ad72", "name": "private", "description": "", "modified": "2026-05-20T23:09:29.909000", "created": "2026-04-20T23:25:15.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 212, "URL": 283, "hostname": 192, "FileHash-SHA256": 136, "FileHash-MD5": 121, "FileHash-SHA1": 117, "email": 13, "URI": 3 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4463f3401c7dcb6cec20", "name": "MIT/m attack + Cloudflare/CDN Masking", "description": "Actor is utilizing uncertified \"shadow\" domains to execute Adversary-in-the-Middle (AiTM) attacks. By avoiding SSL/TLS certificates entirely, the infrastructure stays invisible to automated certificate monitoring tools.TECHNICAL ANALYSISZero-Cert Stealth: The absence of certificate data on email.mime.audio is a deliberate evasion tactic. It prevents the domain from appearing in public certificate databases, allowing the \"fb hacker\" proxy to operate in total darkness.Session Interception: Traffic is routed through the 104 IP space via HTTP. This allows the attacker to strip encryption and harvest session cookies and MFA tokens in plaintext before they ever reach the legitimate service provider.Library Mimicry: The mime.audio naming convention is designed to trick system admins into thinking the traffic is legitimate Python or email-handling library activity rather than an external exfiltration attempt.", "modified": "2026-05-12T06:43:45.967000", "created": "2026-05-07T07:50:59.816000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 514, "domain": 164, "hostname": 167, "IPv4": 17, "URL": 214, "URI": 1, "Mutex": 2 }, "indicator_count": 1091, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e9c8e63a72c7cb531a58ba", "name": "08.09.24 URLscanio 2 weeks.csv", "description": "", "modified": "2025-10-25T02:09:23.619000", "created": "2024-09-17T18:22:30.731000", "tags": [], "references": [ "https://x.com/NorrisN60014/status/1836092481978486802", "https://x.com/NorrisN60014/status/1836092481978486802", "https://www.hybrid-analysis.com/sample/a4f03d9a35524a7c0596777ea2b1fe5d98161b2462435e6056e4e39eb869396d/66e9ae1eb806d5b3300b842f", "https://viz.greynoise.io/analysis/79a3ab55-982c-4fb7-9952-abde6f1219c2", "https://www.filescan.io/uploads/66e9b5494a48170ff00c8102/reports", "https://report.netcraft.com/submission/9R7KbGQKOvzU9GBdraRBpUJ4C", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 6, "URL": 1074, "domain": 1530, "email": 2, "hostname": 2849 }, "indicator_count": 5464, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "450 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672ab35bf473ce2dacd6c451", "name": "InQuest - 05-11-2024", "description": "", "modified": "2024-12-06T00:00:19.259000", "created": "2024-11-06T00:07:55.388000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "FileHash-MD5": 33, "URL": 474, "domain": 43, "hostname": 299, "FileHash-SHA1": 20 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67296341c2cf1ea0dcd07af6", "name": "InQuest - 04-11-2024", "description": "", "modified": "2024-12-05T00:01:00.059000", "created": "2024-11-05T00:13:53.185000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "URL": 481, "domain": 43, "FileHash-MD5": 33, "hostname": 301, "FileHash-SHA1": 20 }, "indicator_count": 1118, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672812847a9c534e9a56ce48", "name": "InQuest - 03-11-2024", "description": "", "modified": "2024-12-04T00:04:46.021000", "created": "2024-11-04T00:17:08.609000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "crypto.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "crypto.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780276466.3674614 }