{ "type": "Domain", "indicator": "datetime.now", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/datetime.now", "alexa": "http://www.alexa.com/siteinfo/datetime.now", "indicator": "datetime.now", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 748467, "indicator": "datetime.now", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd7c8b6a50e874aa6014c6", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:51.295000", "created": "2026-05-08T06:02:51.295000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8a581c71ee4bcd7a00", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:50.534000", "created": "2026-05-08T06:02:50.534000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8901f357b10d9f605a", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:49.354000", "created": "2026-05-08T06:02:49.354000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c878493ff5e9aaacf51", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:47.687000", "created": "2026-05-08T06:02:47.687000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c846a50e874aa6014c5", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:44.672000", "created": "2026-05-08T06:02:44.672000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8330ebba9c3a9756b5", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:43.493000", "created": "2026-05-08T06:02:43.493000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c5a3c1d0e3dfa82dcc0", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:02.276000", "created": "2026-05-08T06:02:02.276000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c596fb7b0c2c3e7c26f", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:01.820000", "created": "2026-05-08T06:02:01.820000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c59c81d461876bc3313", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:01.178000", "created": "2026-05-08T06:02:01.178000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c541ec030a1fe8e53e3", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:56.225000", "created": "2026-05-08T06:01:56.225000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c52830a76e0bb57ebd2", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:54.747000", "created": "2026-05-08T06:01:54.747000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c3428a4db6bab37d25c", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:24.679000", "created": "2026-05-08T06:01:24.679000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c2c7ee28ed714b5b453", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:16.471000", "created": "2026-05-08T06:01:16.471000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c2bd284d3abf1eae70d", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:15.607000", "created": "2026-05-08T06:01:15.607000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c2a3e8ddab59f7f11a9", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:14.359000", "created": "2026-05-08T06:01:14.359000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c29c5e889148983b39f", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:13.500000", "created": "2026-05-08T06:01:13.500000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c28b991a3b45690a32c", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:01:12.439000", "created": "2026-05-08T06:01:12.439000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69f4eba31a8adb1aa8e6654d", "name": "2016: Malware Analysis Report", "description": "", "modified": "2026-05-01T18:06:27.269000", "created": "2026-05-01T18:06:27.269000", "tags": [], "references": [ "2016-01-12 - The Magnificent FIN7- Revealing a Cybercriminal Threat Group.pdf", "2016-01-01 - Die erste Ransomware in JavaScript- Ransom32.pdf", "2016-01-12 - Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia.pdf", "2016-01-13 - Russian group behind 2013 Foreign Ministry hack.pdf", "2016-01-09 - Confirmation of a Coordinated Attack on the Ukrainian Power Grid.pdf", "2016-01-18 - Updated Blackmoon banking Trojan stays focused on South Korean banking customers.pdf", "2016-01-22 - PlugX APT Malware.pdf", "2016-01-21 - Android Spywaller- Firewall-Style Antivirus Blocking.pdf", "2016-01-22 - New Attacks Linked to C0d0so0 Group.pdf", "2016-01-22 - The Impact of Dragonfly Malware on Industrial Control Systems.pdf", "2016-01-24 - Scarlet Mimic- Years-Long Espionage Campaign Targets Minority Activists.pdf", "2016-01-25 - Hidden Tear Ransomware Developer Blackmailed by Malware Developers using his Code.pdf", "2016-01-23 - Imminent Monitor 4 RAT Analysis \u2013 A Glance.pdf", "2016-01-28 - BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents.pdf", "2016-01-28 - CenterPOS- An Evolving POS Threat.pdf", "2016-01-29 - From Linux to Windows \u2013 New Family of Cross-Platform Desktop Backdoors Discovered.pdf", "2016-01-29 - Malicious Office Files Dropping Kasidet And Dridex.pdf", "2016-02-03 - Emissary Trojan Changelog- Did Operation Lotus Blossom Cause It to Evolve-.pdf", "2016-01-22 - Sykipot APT Malware.pdf", "2016-02-05 - Vawtrak and UrlZone Banking Trojans Target Japan.pdf", "2016-02-08 - APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks.pdf", "2016-01-29 - VB2015 paper- It's A File Infector... It\u2019s Ransomware... It's Virlock.pdf", "2016-02-02 - Vipasana ransomware new ransom on the block.pdf", "2016-02-09 - DMA Locker Strikes Back.pdf", "2016-02-09 - Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact.pdf", "2016-02-02 - DMA Locker- New Ransomware, But No Reason To Panic.pdf", "2016-02-12 - A Look Into Fysbis- Sofacy\u2019s Linux Backdoor.pdf", "2016-02-17 - Russian Police Prevented Massive Banking Sector Cyber Attack.pdf", "2016-02-09 - Bedep Lurking in Angler's Shadows.pdf", "2016-02-12 - Security Alert- Mazar BOT \u2013 the Android Malware That Can Erase Your Phone.pdf", "2016-02-09 - Poseidon Group- a Targeted Attack Boutique specializing in global cyber-espionage.pdf", "2016-02-17 - OceanLotus for OS X \u2013 an Application Bundle Pretending to be an Adobe Flash Update.pdf", "2016-02-21 - Source code for powerful Android banking malware is leaked.pdf", "2016-02-22 - Russian bank employees received fake job offers in targeted email attack.pdf", "2016-02-24 - Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group.pdf", "2016-02-19 - Citadel 0.0.1.1 (Atmos).pdf", "2016-02-26 - Nymaim Moves Past Its Ransomware Roots - What Is Old Is New Again.pdf", "2016-02-24 - The DGA of Qakbot.T.pdf", "2016-03-01 - Look Into Locky Ransomware.pdf", "2016-03-01 - Taiwan Presidential Election- A Case Study on Thematic Targeting.pdf", "2016-02-29 - New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan.pdf", "2016-02-29 - The \u201cHawkEye\u201d attack- how cybercrooks target small businesses for big money.pdf", "2016-02-25 - KeyBase Threat Grows Despite Public Takedown- A Picture is Worth a Thousand Words.pdf", "2016-03-07 - RedHat Hacker.asp.pdf", "2016-03-01 - Shrouded Crossbow Creators Behind BIFROSE for UNIX.pdf", "2016-02-18 - New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom.pdf", "2016-03-03 - Attack on Zygote- a new twist in the evolution of mobile threats.pdf", "2016-03-11 - Cerber ransomware- new, but mature.pdf", "2016-03-04 - Tracing the Lineage of DarkSeoul.pdf", "2016-03-10 - Death Comes Calling- Thanatos-Alphabot Trojan Hits the Market.pdf", "2016-03-15 - Suckfly- Revealing the secret life of your code signing certificates.pdf", "2016-03-06 - Network detector for Winnti malware.pdf", "2016-03-11 - Gaudox - HTTP Bot (1.1.0.1) - C++-ASM - Ring3 Rootkit - Watchdog - Antis.pdf", "2016-03-11 - PowerSniff Malware Used in Macro-based Attacks.pdf", "2016-03-18 - Xor DDoS.pdf", "2016-03-09 - Korean Energy and Transportation Targets Attacked by OnionDog APT.pdf", "2016-03-14 - Massive Malvertising Campaign in US Leads to Angler Exploit Kit-BEDEP.pdf", "2016-03-14 - Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government.pdf", "2016-03-18 - Teslacrypt Spam Campaign- \u201cUnpaid Issue\u2026\u201d.pdf", "2016-02-14 - PadCrypt The first ransomware with Live Support Chat and an Uninstaller.pdf", "2016-03-23 - SamSam- The Doctor Will See You, After He Pays The Ransom.pdf", "2016-03-20 - Hidden Tear Project- Forbidden Fruit Is the Sweetest.pdf", "2016-03-23 - Gozi ISFB Sourceccode.pdf", "2016-03-21 - OS X Malware Samples Analyzed.pdf", "2016-03-31 - Stored XSS Vulnerabilites on Foscam.pdf", "2016-03-25 - ProjectM- Link Found Between Pakistani Actor and Operation Transparent Tribe.pdf", "2016-03-24 - Maktub Locker \u2013 Beautiful And Dangerous.pdf", "2016-04-06 - Locky Ransomware Is Becoming More Sophisticated - Cybercriminals Continue Email Campaign Innovation.pdf", "2016-04-07 - FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen.pdf", "2016-03-30 - Ransomware Deployed by Adversary with Established Foothold.pdf", "2016-03-29 - Taiwan targeted with new cyberespionage back doorTrojan.pdf", "2016-04-14 - Targeted Ransomware Activity.pdf", "2016-04-14 - Meet GozNym- The Banking Malware Offspring of Gozi ISFB and Nymaim.pdf", "2016-04-06 - Bootkit's development overview and trend (X).pdf", "2016-03-23 - New self?protecting USB trojan able to avoid detection.pdf", "2016-04-14 - Bedep has raised its game vs Bot Zombies.pdf", "2016-04-05 - SCADA Security Report 2016.pdf", "2016-04-01 - Petya \u2013 Taking Ransomware To The Low Level.pdf", "2016-04-11 - Manamecrypt \u2013 a ransomware that takes a different route.pdf", "2016-04-08 - CryptoHost Decrypted Locks files in a password protected RAR File.pdf", "2016-04-19 - MULTIGRAIN \u2013 Point of Sale Attackers Make an Unhealthy Addition to the Pantry.pdf", "2016-03-31 - The evolution of Brazilian Malware.pdf", "2016-04-16 - Ever Present Persistence - Established Footholds Seen in the Wild.pdf", "2016-04-21 - PoS Attacks Net Crooks 20 Million Stolen Bank Cards.pdf", "2016-04-26 - Digging deep for PLATINUM.pdf", "2016-04-21 - When entropy meets Shannon.pdf", "2016-04-22 - New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists.pdf", "2016-03-11 - Gaudox - HTTP Bot (1.1.0.1) - CPlusPlus ASM - Ring3 Rootkit - Watchdog - Antis.pdf", "2016-04-19 - Trojan.GodzillaLoader (alias Godzilla Loader).pdf", "2016-04-22 - Tater- A PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit..pdf", "2016-04-28 - Tick cyberespionage group zeros in on Japan.pdf", "2016-04-19 - Your Package Has Been Successfully Encrypted- TeslaCrypt 4.1A and the Malware Attack Chain.pdf", "2016-05-02 - Prince of Persia- Infy Malware Active In Decade of Targeted Attacks.pdf", "2016-04-27 - Freezer Paper around Free Meat.pdf", "2016-05-03 - The Continuing Evolution of Samas Ransomware.pdf", "2016-04-28 - Research Spotlight- The Resurgence of Qbot.pdf", "2016-05-05 - Sophisticated New Packer Identified in CryptXXX Ransomware Sample.pdf", "2016-05-11 - Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks.pdf", "2016-04-25 - Attackers Behind GozNym Trojan Set Sights on Europe.pdf", "2016-05-03 - A Universal Windows Bootkit.pdf", "2016-05-09 - KRBanker Targets South Korea Through Adware and Exploit Kits.pdf", "2016-05-12 - LatentBot \u2013 modularny i silnie zaciemniony bot.pdf", "2016-05-09 - PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP-CRYPTXXX.pdf", "2016-05-04 - Petya- the two-in-one trojan.pdf", "2016-05-02 - Prince of Persia Hashes.pdf", "2016-05-13 - Cyber Heist Attribution.pdf", "2016-05-06 - 7ev3n ransomware turning \u2018HONE$T\u2019.pdf", "2016-05-10 - Setting Sights On Retail- AbaddonPOS Now Targeting Specific POS Software.pdf", "2016-05-12 - Chinese-language Ransomware \u2018SHUJIN\u2019 Makes An Appearance.pdf", "2016-05-16 - Vietnamese Bank Blocks $1 Million SWIFT Heist.pdf", "2016-05-12 - Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck.pdf", "2016-05-15 - What We Can Learn From the Bangladesh Central Bank Cyber Heist.pdf", "2016-05-18 - Operation Groundbait- Espionage in Ukrainian war zones.pdf", "2016-05-09 - PseudoDarkLeech Angler EK from 185.118.66.154 sends Bedep-CryptXXX.pdf", "2016-05-17 - Indian organizations targeted in Suckfly attacks.pdf", "2016-05-23 - Technical Report about the Malware used in the Cyberespionage against RUAG.pdf", "2016-05-17 - ATM infector.pdf", "2016-06 - Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world.pdf", "2016-05-27 - Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks.pdf", "2016-05-24 - New Wekby Attacks Use DNS Requests As Command and Control Mechanism.pdf", "2016-06-02 - FastPOS- Quick and Easy Credit Card Theft.pdf", "2016-04-27 - Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More).pdf", "2016-05-19 - Petya and Mischa \u2013 Ransomware Duet (Part 1).pdf", "2016-05-19 - Petya and Mischa for All! The RaaS Boom Expands to Include the Petya-Mischa Combo.pdf", "2016-05-26 - The OilRig Campaign- Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor.pdf", "2016-05-26 - SWIFT attackers\u2019 malware linked to more financial attacks.pdf", "2016-05-20 - Special Report- Cyber thieves exploit banks' faith in SWIFT transfer network.pdf", "2016-06-03 - Cooking Up Autumn (Herbst) Ransomware.pdf", "2016-06-15 - Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging.pdf", "2016-06-08 - Spear Phishing Attacks- Why They are Successful and How to Stop Them.pdf", "2016-06-14 - New Sofacy Attacks Against US Government Agency.pdf", "2016-05-22 - Cron has fallen.pdf", "2016-06-23 - Tracking Elirks Variants in Japan- Similarities to Previous Attacks.pdf", "2016-06-09 - Reverse-engineering DUBNIUM.pdf", "2016-06-07 - The Story of yet another ransom-fail-ware.pdf", "2016-06-22 - After Angler- Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity.pdf", "2016-06-25 - SectorC08- Multi-Layered SFX in Recent Campaigns Target Ukraine.pdf", "2016-06-11 - The Chinese Hackers in the Back Office.pdf", "2016-06-15 - Bears in the Midst- Intrusion into the Democratic National Committee.pdf", "2016-06-17 - ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks.pdf", "2016-05-22 - Operation Ke3chang Resurfaces With New TidePool Malware.pdf", "2016-06-29 - Apocalypse- Ransomware which targets companies through insecure RDP.pdf", "2016-06-06 - Everyone sees not what they want to see.pdf", "2016-06-28 - Prince of Persia \u2013 Game Over.pdf", "2016-06-17 - Operation Daybreak.pdf", "2016-06-23 - POS and Credit Cards- In the Line of Fire with \u201cPunkeyPOS\u201d.pdf", "2016-06-17 - In The Wild- Mobile Malware Implements New Features.pdf", "2016-06-10 - Petya and Mischa- ransomware duet (part 2).pdf", "2016-06-14 - CVE-2016-4171 \u2013 Adobe Flash Zero-day used in targeted attacks.pdf", "2016-06-24 - Ani-Shell.pdf", "2016-06-25 - Rokku Ransomware shows possible link with Chimera.pdf", "2016-07-01 - KeyBase - A New Keylogger on the Block.pdf", "2016-06-15 - Mofang- A politically motivated information stealing adversary.pdf", "2016-07-01 - How I Cracked a Keylogger and Ended Up in Someone's Inbox.pdf", "2016-06-21 - The Curious Case of an Unknown Trojan Targeting German-Speaking Users.pdf", "2016-07-14 - Technical Notes on Sakula.pdf", "2016-07-08 - Investigating the LuminosityLink Remote Access Trojan Configuration.pdf", "2016-07-13 - Troldesh ransomware influenced by (the) Da Vinci code.pdf", "2016-05-23 - DMA Locker 4.0- Known ransomware preparing for a massive distribution.pdf", "2016-07-11 - When Paying Out Doesn't Pay Off.pdf", "2016-07-20 - CrypMIC Ransomware Wants to Follow CryptXXX\u2019s Footsteps.pdf", "2016-07-22 - Stampado Ransomware campaign decrypted before it Started.pdf", "2016-07-21 - Canadian Man Behind Popular \u2018Orcus RAT\u2019.pdf", "2016-07-21 - Phishing Attacks Employ Old but Effective Password Stealer.pdf", "2016-07-07 - New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware..pdf", "2016-07-25 - Patchwork cyberespionage group expands targets from governments to wide range of industries.pdf", "2016-07-26 - OTX Pulse on R980 ransomware.pdf", "2016-07-12 - Me and Mr. Robot- Tracking the Actor Behind the MAN1 Crypter.pdf", "2016-07-26 - Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan.pdf", "2016-07-26 - Attack Delivers \u20189002\u2019 Trojan Through Google Drive.pdf", "2016-07-31 - China 1937CN Team Hackers Attack Airports in Vietnam.pdf", "2016-07-07 - NetTraveler APT Targets Russian, European Interests.pdf", "2016-07-18 - Third time (un)lucky \u2013 improved Petya is out.pdf", "2016-07-28 - Petya and Mischa For All Part II- They\u2019re Here\u2026.pdf", "2016-08-01 - CrowdStrike\u2019s New Methodology for Tracking eCrime.pdf", "2016-08 - Analysis of a packed Pony downloader.pdf", "2016-08-02 - Orcus \u2013 Birth of an unusual plugin builder RAT.pdf", "2016-07-08 - The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region.pdf", "2016-08-08 - Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers.pdf", "2016-08-08 - Doctor Web detected Linux Trojan written in Go.pdf", "2016-08-04 - What is Multigrain- Learn what makes this PoS malware different.pdf", "2016-08-08 - MONSOON - Analysis Of An APT Campaign.pdf", "2016-08-04 - Iranian Actor -Group5- Targeting Syrian Opposition.pdf", "2016-08-08 - Strider- Cyberespionage group turns eye of Sauron on targets.pdf", "2016-08-10 - CryptXXX - CrypMIC \u2013 intensywnie dystrybuowany ransomware w ramach exploit-kit\u00f3w.pdf", "2016-08-05 - Smoke Loader \u2013 downloader with a smokescreen still alive.pdf", "2016-08-08 - ProjectSauron- top level cyber-espionage platform covertly extracts encrypted government comms.pdf", "2016-08-18 - The Shadow Brokers.pdf", "2016-08-16 - Aveo Malware Family Targets Japanese Speaking Users.pdf", "2016-08-16 - Brazil Can\u2019t Catch a Break- After Panda Comes the Sphinx.pdf", "2016-08-22 - BLATSTING FUNKSPIEL.pdf", "2016-07-06 - New OSX-Keydnap malware is hungry for credentials.pdf", "2016-08-23 - GozNym Banking Trojan Targeting German Banks.pdf", "2016-08-22 - Trojan.Mutabaha.1.pdf", "2016-08-25 - Shakti Trojan - Technical Analysis.pdf", "2016-08-19 - New Hancitor Malware- Pimp my Downloaded.pdf", "2016-08-28 - FEINTCLOUD.pdf", "2016-08-23 - Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say.pdf", "2016-08-15 - Shakti Trojan- Document Thief.pdf", "2016-08-17 - Operation Ghoul- targeted attacks on industrial and engineering organizations.pdf", "2016-08-29 - Fantom ransomware impersonates Windows update.pdf", "2016-08-25 - Unpacking the spyware disguised as antivirus.pdf", "2016-08-29 - German Speakers Targeted by SPAM Leading to Ozone RAT.pdf", "2016-07-03 - Android Triada modular trojan.pdf", "2016-08-04 - Iran Threats Webpage.pdf", "2016-08-10 - Android Marcher- Continuously Evolving Mobile Malware.pdf", "2016-08-30 - OSX-Keydnap spreads via signed Transmission application.pdf", "2016-09-01 - TADAQUEOUS moments.pdf", "2016-08-30 - Pythons and Unicorns and Hancitor\u2026Oh My! Decoding Binaries Through Emulation.pdf", "2016-07-12 - Malware Discovered \u2013 SFG- Furtim Malware Analysis.pdf", "2016-09-02 - Necurs \u2013 hybrid spam botnet.pdf", "2016-08-29 - Nightmare on Tor Street- Ursnif variant Dreambot adds Tor functionality.pdf", "2016-07-30 - Luminosity RAT - Re-purposed.pdf", "2016-08-07 - Strider- Cyberespionage group turns eye of Sauron on targets.pdf", "2016-09-04 - BLATSTING Command-and-Control protocol.pdf", "2016-09-11 - BUZZDIRECTION- BLATSTING reloaded.pdf", "2016-08-11 - Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp.pdf", "2016-07-05 - New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns.pdf", "2016-09-08 - Doctor Web discovers Linux Trojan written in Rust.pdf", "2016-09-06 - Buckeye cyberespionage group shifts gaze from US to Hong Kong.pdf", "2016-08-22 - VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick.pdf", "2016-09-08 - The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals.pdf", "2016-07-08 - GootKit- Bobbing and Weaving to Avoid Prying Eyes.pdf", "2016-09-20 - Hackers lurking, parliamentarians told _ News _ DW _ 20.09.2016.pdf", "2016-09-13 - H1N1- Technical analysis reveals new capabilities.pdf", "2016-09-17 - A few notes on SECONDDATE's C&C protocol.pdf", "2016-09-13 - The curious case of BLATSTING's RSA implementation.pdf", "2016-09-11 - Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search.pdf", "2016-09-06 - Blatsting C&C Transcript.pdf", "2016-09-16 - Tofsee \u2013 modular spambot.pdf", "2016-09-07 - The Missing Piece \u2013 Sophisticated OS X Backdoor Discovered.pdf", "2016-09-20 - Inside Petya and Mischa ransomware.pdf", "2016-09-22 - Book of Eli- African targeted attacks.pdf", "2016-09-23 - Dissecting a Hacktivist\u2019s DDoS Tool- Saphyra Revealed.pdf", "2016-09-23 - SECONDDATE in action.pdf", "2016-09-27 - New Voldemort-Nagini Ransomware Virus Infection.pdf", "2016-09-09 - GOVRAT V2.0 - Attacking US military and government.pdf", "2016-09-15 - MILE TEA- Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies.pdf", "2016-09-19 - Untangling the Ripper ATM Malware.pdf", "2016-09-22 - Zeus Delivered by DELoader to Defraud Customers of Canadian Banks.pdf", "2016-09-20 - Hackers lurking, parliamentarians told.pdf", "2016-09-26 - Sofacy\u2019s \u2018Komplex\u2019 OS X Trojan.pdf", "2016-09-21 - Reversing GO binaries like a pro.pdf", "2016-09-16 - iSpy Keylogger.pdf", "2016-09-13 - DualToy- New Windows Trojan Sideloads Risky Apps to Android and iOS Devices.pdf", "2016-09-14 - BkSoD by Ransomware- HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs.pdf", "2016-09-21 - KrebsOnSecurity Hit With Record DDoS.pdf", "2016-09-20 - Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks.pdf", "2016-09-05 - Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems.pdf", "2016-09-23 - Hancitor (AKA Chanitor) observed using multiple attack approaches.pdf", "2016-09-27 - Komplex Mac backdoor answers old questions.pdf", "2016-09-28 - Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware.pdf", "2016-09-28 - Belling the BEAR.pdf", "2016-09-28 - Introducing Her Royal Highness the Princess Locker Ransomware.pdf", "2016-09-27 - Threat Spotlight- GozNym.pdf", "2016-09-29 - TeamXRat- Brazilian cybercrime meets ransomware.pdf", "2016-09-30 - Hacked Steam accounts spreading Remote Access Trojan.pdf", "2016-10-03 - Remsec driver analysis.pdf", "2016-10-01 - \u2018Shadow Brokers\u2019 Whine That Nobody Is Buying Their Hacked NSA Files.pdf", "2016-10-17 - RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT.pdf", "2016-10-01 - Source Code for IoT Botnet \u2018Mirai\u2019 Released.pdf", "2016-09-28 - Confucius Says\u2026Malware Families Get Further By Abusing Legitimate Websites.pdf", "2016-10-10 - Remsec driver analysis - Part 2.pdf", "2016-10-10 - How France's TV5 was almost destroyed by 'Russian hackers'.pdf", "2016-10-05 - FastPOS Updates in Time for the Retail Sale Season.pdf", "2016-09-29 - Want Tofsee My Pictures- A Botnet Gets Aggressive.pdf", "2016-10-11 - Remsec driver analysis - Part 3.pdf", "2016-10-17 - New-looking Sundown EK drops Smoke Loader, Kronos banker.pdf", "2016-10-09 - SiteIntel- Cyber Caliphate Army.pdf", "2016-10-17 - \u2018DealersChoice\u2019 is Sofacy\u2019s Flash Player Exploit Platform.pdf", "2016-10-27 - Inside the Gootkit C&C server.pdf", "2016-10-04 - OilRig Malware Campaign Updates Toolset and Expands Targets.pdf", "2016-10-03 - Polyglot \u2013 the fake CTB-locker.pdf", "2016-10-20 - TheMoon - A P2P botnet targeting Home Routers.pdf", "2016-10-18 - Digitally Signed Malware Targeting Gaming Companies.pdf", "2016-10-17 - A Tale of Two Targets.pdf", "2016-10-24 - Introducing TrickBot, Dyreza\u2019s successor.pdf", "2016-11-02 - Exposing the EGO MARKET- the cybercrime performed by the Linux-Moose botnet.pdf", "2016-10-24 - Evasive Malware Detects and Defeats Virtual Machine Analysis.pdf", "2016-10-27 - In-Dev Ransomware forces you do to Survey before unlocking Computer.pdf", "2016-11-09 - Tricks of the Trade- A Deeper Look Into TrickBot\u2019s Machinations.pdf", "2016-10-28 - zxshell repository.pdf", "2016-10-31 - Second Shadow Brokers dump released.pdf", "2016-11-09 - Down the H-W0rm Hole with Houdini\u2019s RAT.pdf", "2016-10-26 - Moonlight \u2013 Targeted attacks in the Middle East.pdf", "2016-10-15 - TrickBot- We Missed you, Dyre.pdf", "2016-11-14 - Doctor Web discovers a botnet that attacks Russian banks.pdf", "2016-11-10 - Floki Bot and the stealthy dropper.pdf", "2016-11-08 - Analysis of iOSGuiInject Adware Library.pdf", "2016-11-02 - Linux-Moose- Still breathing.pdf", "2016-10-25 - TrickBot Banker Insights.pdf", "2016-11-01 - Ursnif Malware- Deep Technical Dive.pdf", "2016-10-11 - Odinaff- New Trojan used in high level financial attacks.pdf", "2016-11-14 - Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles.pdf", "2016-10-27 - Mirai DDoS Botnet- Source Code & Binary Analysis.pdf", "2016-11-15 - CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits.pdf", "2016-11-02 - Nymaim Malware- Deep Technical Dive \u2013 Adventures in Evasive Malware.pdf", "2016-11-15 - ScanPOS, new POS malware being distributed by Kronos.pdf", "2016-11-07 - Little Trickbot Growing Up- New Campaign.pdf", "2016-11-08 - Analysis of IOS.GUIINJECT Adware Library.pdf", "2016-11-08 - SPAMTORTE VERSION 2- DISCOVERY OF AN ADVANCED, MULTILAYERED SPAMBOT CAMPAIGN THAT IS BACK WITH A VENGEANCE.pdf", "2016-10-21 - BITTER- a targeted attack against Pakistan.pdf", "2016-11-15 - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware.pdf", "2016-10-27 - BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List.pdf", "2016-10-25 - Houdini\u2019s Magic Reappearance.pdf", "2016-11-23 - InPage zero-day exploit used to attack financial institutions in Asia.pdf", "2016-11-30 - Bladabindi Remains A Constant Threat By Using Dynamic DNS Services.pdf", "2016-11-17 - It\u2019s Parliamentary - KeyBoy and the targeting of the Tibetan Community.pdf", "2016-11-22 - Cobalt hackers executed massive, synchronized ATM heists across Europe, Russia.pdf", "2016-10-03 - On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users.pdf", "2016-11-21 - PrincessLocker \u2013 ransomware with not so royal encryption.pdf", "2016-11-21 - Android malware analysis with Radare- Dissecting the Triada Trojan.pdf", "2016-11-17 - Princess Locker decryptor.pdf", "2016-11-28 - NetWire RAT Steals Payment Card Data.pdf", "2016-12-08 - Thyssenkrupp victim of cyber attack.pdf", "2016-12-06 - Deep Analysis of the Online Banking Botnet TrickBot.pdf", "2016-12-07 - The TrickBot Evolution.pdf", "2016-12-07 - August in November- New Information Stealer Hits the Scene.pdf", "2016-12-06 - August in November- New Information Stealer Hits the Scene.pdf", "2016-11-28 - A New All-in-One Botnet- Proteus.pdf", "2016-12-09 - Now Mirai Has DGA Feature Built in.pdf", "2016-12-01 - CNACOM - Open Source Exploitation via Strategic Web Compromise.pdf", "2016-12-07 - Floki Bot Strikes, Talos and Flashpoint Respond.pdf", "2016-12-14 - MiKey - A Linux keylogger.pdf", "2016-12-19 - Dismantling a Nuclear Bot.pdf", "2016-12-09 - -Proof of Concept- CryptoWire Ransomware Spawns Lomix and UltraLocker Families.pdf", "2016-12-26 - Rocket Kitten.pdf", "2016-12-14 - Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016.pdf", "2016-12-14 - Twin zero-day attacks- PROMETHIUM and NEODYMIUM target individuals in Europe.pdf", "2016-12-27 - Pegasus internals- Technical Teardown of the Pegasus malware and Trident exploit chain.pdf", "2016-12-16 - Bayrob- Three suspects extradited to face charges in US.pdf", "2016-12-20 - Alice- A Lightweight, Compact, No-Nonsense ATM Malware.pdf", "2016-12-29 - Some notes on IoCs.pdf", "2016-12-15 - Let It Ride- The Sofacy Group\u2019s DealersChoice Attacks Continue.pdf", "2016-12-22 - Tofsee Spambot features .ch DGA - Reversal and Countermesaures.pdf", "2016-12-23 - Emsisoft Decryptor for GlobeImposter.pdf", "2016-11-30 - Shamoon 2- Return of the Disttrack Wiper.pdf", "2016-11-23 - Analysis- Ursnif - spying on your data since 2007.pdf", "2016-12-09 - New Exo Android Trojan Sold on Hacking Forums, Dark Web.pdf", "APT C 03.pdf", "2016-12-28 - Switcher- Android joins the \u2018attack-the-router\u2019 club.pdf", "2016-12-27 - ANALYSIS OF AUGUST STEALER MALWARE.pdf", "2016-11-30 - Shamoon- Back from the dead and destructive as ever.pdf", "Asruex.pdf", "2016-11-22 - Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy.pdf", "Aveo.pdf", "attack delivers 9002 trojan through google drive.pdf", "APT-C-09 (2).pdf", "Black Energy APT.pdf", "Cisco HayStack.pdf", "Dust Storm Infographic.pdf", "Apt 2015 (2).pdf", "Dissecting the malware in inocnation campaign.pdf", "Dynasty.pdf", "NetTraveler.pdf", "Houdini.s.Magic.Reappearance.pdf", "Operation Blockbuster Ex Summary.pdf", "Operation Dust Storm.pdf", "2016-01-22 - CVE-2015-4400 - Backdoorbot, Network Configuration Leak on a Connected Doorbell.pdf", "2016-01-26 - URLZone Zones in on Japan.pdf", "2016-01-21 - NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan.pdf", "2016-04-13 - Ghosts in the Endpoint.pdf", "2016-05-25 - CVE-2015-2545- overview of current threats.pdf", "2016-05-29 - Keep Calm and (Don\u2019t) Enable Macros- A New Threat Actor Targets UAE Dissidents.pdf", "2016-12-01 - Alert (TA16-336A)- Avalanche (crimeware-as-a-service infrastructure).pdf", "2016-12-13 - The rise of TeleBots- Analyzing disruptive KillDisk attacks.pdf", "2016-12-09 - Windows 10- protection, detection, and response against recent Depriz malware attacks.pdf", "2016-12-15 - Goldeneye Ransomware \u2013 the Petya-Mischa combo rebranded.pdf", "2016-12-20 - New Linux-Rakos threat- devices and servers under SSH scan (again).pdf", "2016-12-29 - GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity.pdf", "A tale of two targets.pdf", "APT-C-15.pdf", "Attack on Ukraine Power Grid.pdf", "Bears in the Midst Intrusion into the Democratic National Committee \u00bb.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 561, "FileHash-MD5": 1150, "FileHash-SHA256": 1957, "URL": 1407, "domain": 1246, "hostname": 1684, "FileHash-SHA1": 433, "CVE": 54, "email": 60, "BitcoinAddress": 4, "YARA": 1 }, "indicator_count": 8557, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "64 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f33233092ab19b74879403", "name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server", "description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.", "modified": "2025-05-07T02:03:20.735000", "created": "2025-04-07T02:02:27.322000", "tags": [ "helper macro", "param", "param inccache", "kerberos", "ccache", "api function", "ccapi", "api version", "param ioccache", "ccacheserver", "win32", "null", "code", "win64", "error", "union", "ccapideprecated", "ccacheapi", "ccapiv2h", "apple", "export", "united", "ccache api", "cplusplus", "x8664", "typedef", "patheq", "none", "popen", "terminate", "false", "winenv", "winexe", "frozen", "winservice", "python", "posixthreads", "pyhavecondvar", "ntthreads", "vista", "pyemulatedwincv", "ntddivista", "semaphore", "pycondt", "win7", "pybuildcore", "fall", "copyright", "technology", "all rights", "reserved", "america", "government", "within that", "klprincipal", "klloginoptions", "inpassword", "klboolean", "klindex inindex", "login", "klstatus", "kerberos login", "inst", "regexp", "typeof e", "function", "typeof t", "typeof o", "width", "typeof", "pseudo", "body", "sticky", "date", "class", "this", "void", "accept", "span", "krb5callconv", "apoptsreserved", "tktflgreserved", "kdcoptreserved", "krb5data", "eblock", "krb5address", "krb5keyblock", "service", "realm", "format", "general", "internal", "entropy", "mask", "mcpeerid", "mcsession", "property", "protocol", "create", "nsuinteger", "notifies", "mcsession api", "interface", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "bonjour apis", "stop", "peer", "example", "tags", "session", "nsprogress", "nserror", "nsstring", "nsurl", "nsarray", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "webpackrequire", "webpackexports", "object", "adobe systems", "adobe", "incorporated", "dissemination", "touchmove", "window", "launch", "close", "core", "webview", "nwebpackrequire", "arraybuffer", "name", "typedarray", "prototype", "string", "number", "nvar", "meta", "infinity", "generator", "zero", "epsilon", "observer", "android", "freeze", "trim", "canvas", "simple", "bind", "fast", "next", "patch", "rest", "middle", "find", "enumerate", "facebook", "executor", "apiunavailable", "gamecontroller", "gcbuttoninput", "gcswitchinput", "nsobject", "apiavailable", "hid device", "cfstr", "iohiddeviceref", "boolean value", "c iohidmanager", "iohidmanager", "c iohiddevice", "issequential", "bool sequential", "bool canwrap", "nsset", "nsunavailable", "gcswitchelement", "bool", "share button", "xbox controller", "xbox elite", "xbox series", "gcxboxgamepad", "gcpoint2", "gcpoint2make", "gcpoint2 p", "cfinline bool", "gcpoint2equal", "gcpoint2 point1", "gcpoint2 point2", "gcrelativeinput", "isanalog", "bool analog", "hasinclude", "gcaxis2dinput", "gcpoint2 value", "gcaxiselement", "certain", "gcaxisinput", "gcbuttonelement", "gccontroller", "nsnotification", "chhapticengine", "gcmicrogamepad", "input", "menu button", "gcdevicelight", "gccolor", "x axis", "xvalue", "developers", "functionality", "options button", "sf symbols", "elements", "gcdevice", "gctouchstate", "gctouchstateup", "apideprecated", "gckeyboard", "gcmouse", "nsswiftname", "gcdevicebattery", "battery level", "direction pad", "directionapad", "thumbstick", "gcdevicecursor", "a controller", "gccolor color", "gcinputbuttona", "gcinputbuttonb", "button b", "check", "a element", "c nil", "nsenumerator", "siri remote", "equivalent", "down", "left", "right", "kindof", "handle button", "c device", "immediate input", "dualsense", "positional", "sony dualsense", "gcmotion", "dualshock", "uievent", "controllers", "uikit user", "uiview", "method", "nsdata", "axes", "nsdata source", "return", "nullable", "nsdata object", "button", "shoulder", "extended", "gamepad profile", "nsdata api", "gcgamepad", "sizeof", "standard", "gckeyboardinput", "keyboard", "nsstring const", "controller", "back buttons", "game controller", "back", "keypad", "delete", "insert", "home", "right arrow", "left arrow", "down arrow", "up arrow", "korean", "backspace", "alongside", "gckeyuparrow", "gckeycode const", "lang1", "gclinearinput", "gcquaternion", "gcacceleration", "y axis", "z axis", "gcmouse mouse", "gcmouse class", "mice", "gcmouseinput", "mouse profile", "scroll", "nsdata instance", "a alias", "press", "micro profile", "siri remotes", "b button", "a gcinput", "button a", "nsoptions", "examining", "c sfsymbolsname", "apple tv", "remote", "control center", "a set", "game", "gcracingwheel", "gcbundlewithpid", "gcinputbuttonx", "gcinputbuttony", "gcinputshifter", "gckeya", "gckeyb", "gckeybackslash", "rawvalue", "apple swift", "o librarylevel", "swift import", "element", "indices", "iterator", "subsequence", "kerberoscomerr", "const", "permission", "mit software", "suitability", "athena", "openvision", "gssdllimp", "gssapigenerich", "this software", "purpose", "disclaims all", "warranties with", "regard to", "constraint", "kerberosprofile", "krb5profileh", "const names", "newvalue", "1429577728l", "gnuc", "mach", "omuint32", "gssapikrb5h", "form", "uid form", "client function", "asrep", "including", "preauth", "db entry", "free", "pointer", "rock", "neither", "direct", "damage", "minorstatus", "gssbuffert", "gssctxidt", "gssoid", "gssnamet", "gsscredidt", "gssoidset", "gssapi", "first", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "but not", "limited", "openal cross", "apple computer", "redistribution", "is provided", "type", "alvoid", "alint", "openal", "aluint sid", "alenum", "alint value", "aluint property", "alvoid nonnull", "alfloat", "write", "openalopenalh", "umbrella header", "alenum param", "alapi", "aluint bid", "alsizei", "alfloat value", "alapientry", "aluint", "verify", "play", "speed", "bits", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "iousbhostdevice", "iousbhostobject", "iousbhostpipe", "iousbhoststream", "iousbhost", "brief", "usb host", "bool yes", "bool no", "advance", "iousbhostfamily", "kernel", "ioreturn status", "nsnumber", "ioreturn error", "usb device", "select", "commands", "enqueue", "nsmutabledata", "field", "enum", "options", "retrieve", "iosource", "current address", "bos descriptor", "extract", "a descriptor", "license", "io request", "abort", "discussion", "stream", "please", "swift api", "iousbbitrange", "iousbbitrange64", "iousbbit", "client", "usb controller", "usb descriptor", "unknown", "critical", "refer", "link", "send", "same", "common ui", "bluetooth", "service browser", "option", "1001", "cfstringref", "deprecated", "macos", "returns", "abstract", "nswindow", "creates", "mac os", "uuids", "uuid", "sdp service", "nsimage", "nsview", "mpasskeystring", "nsmutablearray", "uuid array", "ioreturn", "runmodal", "group", "command", "byte", "masks", "pduid", "l2cap", "range", "opcode", "packet", "major", "local", "profiles", "iobluetooth", "framework", "support", "host controller", "rfcomm", "minor class", "pseudoclass", "specific device", "headset", "peripheral", "desktop", "glasses", "device reset", "no hci", "hci controller", "returns number", "variable number", "packdata", "cstring", "pass", "path", "deprecated in", "obex session", "obexsessionref", "rfcomm channel", "obex", "does not", "l2cap channel", "inrefcon", "device", "length", "obex spec", "error code", "make", "headerid", "april", "alarm", "avrcplog", "audiolog", "bccmd16touint16", "bccmd16touint8", "bccmd32touint32", "hfplog", "obexcreatevcard", "obexsessionget", "uint16tobccmd16", "intents", "created", "andrea gottardo", "inimage", "intentsui", "project version", "inshortcut", "ibdesignable", "invoiceshortcut", "nsbundle", "siri", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "ldap", "vdspinput1", "vectorsize", "iirchannel", "osvkerndsplib", "pragmaonce", "paul chang", "fri mar", "original code", "apple operating", "modifications", "apple public", "source license", "version", "lframesize", "i386", "picify", "callmcount", "nonlazystub", "align", "roundtostack", "leaf", "import", "carnegie mellon", "carnegie", "inline void", "software", "school", "august", "xnuarchi386selh", "next computer", "mike demoney", "bruce martin", "state segment", "nxswappedfloat", "osswapint32", "inline float", "inline double", "osswapint64", "armlimitsh", "arm64", "useclangtypes", "bsdarmtypesh", "int8t", "gnuc typedef", "uint8t", "ansi c", "ansi", "use wchart", "armmcontexth", "mcontextt", "armparamh", "round", "darwinsizet", "darwinalign", "uint32t", "darwinalign32", "warranties", "a particular", "university", "armarch6zk", "armarch6k", "armarch4t", "armarch4", "http", "capbitnb", "legacy", "armfeatureflag", "california", "notice", "berkeley", "limited to", "define", "useclanglimits", "lp64", "ansisource", "darwincsource", "longmin", "ulongmax", "parameter", "vmmemcoherent", "vmmemearlyack", "vmmeminner", "vmmemrt", "vmmemguarded", "armmemorytypesh", "armpalroutinesh", "read", "struct", "booleant", "cluster", "devbsize", "mclbytes", "unix system", "laboratories", "devbshift", "thumb", "armv5", "armv7", "cache", "neon", "swift", "bsdarmprofileh", "xxx todo", "block", "mcount", "mcountinit", "mcountenter", "splhigh", "armthreadh", "armtraph", "dflssiz", "targetososx", "maxssiz", "rliminfinity", "maxcsiz", "bsdarmvmparamh", "dfldsiz", "maxdsiz", "xxx stack", "armsignal", "int64t", "armmachtypesh", "int32t", "methods", "thread", "hasapplepac", "atmatmtypesh", "libkernlocksh", "fortifysource", "libkerncopyioh", "sizedby", "darwinosinline", "stdcversion", "osswapint16", "libkerncrch", "blockexport", "vaargs", "blockrelease", "blockh", "collection", "blockcopy", "ososbaseh", "base", "byteoffset", "host endianess", "generic host", "generic", "osmalloc", "osmalloctag tag", "osmalloctag", "pci device", "uint32", "uint32 mask", "safecastptr", "sint32", "osaddatomic64", "uint8", "libkern c", "internal error", "core osreturn", "libkern", "values", "pragmamark", "kexts", "kext", "c string", "grab", "osostypesh", "boolean", "unsignedwide", "uint32 hi", "buildtime value", "libkernversionh", "versionmajor", "versionminor", "versionvariant", "versionrevision", "ostype", "osrelease", "libkernsysctlh", "instructions", "data cache", "future", "rbleft", "rbright", "rbgetparent", "splayright", "splayleft", "rbsetcolor", "rbblack", "rbgetcolor", "comp", "main", "stdc", "msdos", "windows", "sys16bit", "zlibdll", "zextern", "zconfh", "model", "zextern int", "zstreamerror", "znull", "zbuferror", "zmemerror", "zstreamend", "zdataerror", "zfinish", "enough", "possible", "trailer", "compiler", "countedby", "sparta", "osatomic", "ipcipctypesh", "ipcobjectnull", "ipcobjectdead", "osreturn", "nfskrpch", "xdrbuf", "xdrbuf xbp", "xbptr", "xbleft", "tlen", "lval", "xbcleanup", "xbtype", "xbflags", "nfsargsversion", "file", "packed", "nfshz", "mount", "term", "restrict", "stats", "nfsbitmapset", "nfsver3", "nfsxunsigned", "attr", "nfsprogram", "nfssmallfh", "which", "from", "mark", "obsolete", "ip address", "iaddrt", "netinetbootph", "nvmaxtext", "magic", "etheraddrlen", "target", "byteorder", "bigendian", "littleendian", "dest", "igmp", "ushort", "inpcbptr", "inpcblistentry", "ipsec", "pcbs", "cookie", "netinetinstath", "minimal", "result", "arp packet", "icmpparamprob", "icmpredirect", "address", "ditto", "ip filter", "ipv4", "ip packet", "inject", "wifi", "server", "tcpmaxnotifyack", "wired", "ecn setup", "notify", "slow", "definitions", "tcptmax", "retransmit", "mptcp", "tcpsclosewait", "tcpsestablished", "tcpstimewait", "tcpseq", "timer drift", "sack", "char", "icmp", "synack", "tcpoptnop", "syndata", "ver", "internet", "iopcidevice", "constant", "perst", "localonly", "iooptionbits", "optional access", "ioservice", "open", "pcidriverkith", "osmetaclassbase", "iorpc rpc", "auditpipeiobase", "auditsdeviobase", "ioctls", "data", "the software", "stdargh", "hasincludenext", "eli friedman", "as is", "hack", "atomic", "atomicseqcst", "clangstdatomich", "stdchosted", "stdboolh", "needwintt", "stddefh", "hasbuiltin", "const src", "xnumembersize", "const dst", "wcharmax", "wcharmin", "limits", "kernelstdinth", "lp64 typedef", "intmaxc", "uintmaxc", "ptrauth", "olddata", "value", "declkey", "abi pointer", "c function", "float16", "fltevalmethod", "legacy bsd", "c standard", "sincospi", "cosp", "x8664monotonich", "staticifentry", "hasmte", "vmmemorytypesh", "vmwimgdefault", "wimg", "extvectortype", "utilfunction", "aligned", "srcptr", "vmpmaph", "vmdyldpagerh", "vmvmfaulth", "vmvmmaph", "development", "debug", "vmvmoptionsh", "vmvmpageouth", "kasantbi", "machvmmemtagh", "given", "vmmemtagptrsize", "vmmemtagtagsize", "copy", "vmsharedregionh", "vfsvfssupporth", "veclib", "master", "world wide", "various", "veclibtypes", "carbonlib", "availability", "carbon", "noncarbon cfm", "vbasicops", "shift", "vforceh", "vdsplength n", "realp", "nonnull", "vector", "dspsplitcomplex", "ieee", "dspcomplex", "uuiduuidh", "uuiddefine", "public", "uuid library", "kernelserver", "simpleroutine", "undkey", "execution", "strings array", "user", "title string", "info", "1024", "xmldatat", "undreplyref", "kernsuccess", "osaction", "targetosiphone", "istargetvendor", "targetcpux8664", "targetosunix", "targetcpuppc", "targetcpuppc64", "targetcpux86", "targetrtmaccfm", "bridge", "svflags", "svpavreal", "svpavreify", "xpvav", "svany", "avfillp", "for apidoc", "mutableav", "avrealoff", "pltopenv", "stmtstart", "stmtend", "copfile", "plcurstackinfo", "copfilegv", "cophinthashget", "loop", "stack", "beware", "orig", "loops", "this file", "the build", "plbitcount", "u8 value", "cvflags", "xpvcv", "mutableptr", "perlcore", "cvgv", "cvfile", "cvfmethod", "cvflvalue", "cvfconst", "anon", "doinit extconst", "ebcdic", "extconst u8", "index", "ascii platform", "confusingly", "u8 pla2e", "pla2e", "u8 ple2a", "guard", "declspec", "extconst", "ext externc", "init", "larry wall", "gnu general", "readme file", "multiplicity", "plsawampersand", "do not", "perliogetc", "perlioputc", "perliostdoutf", "perlio", "perlfeatureh", "featuresubbit", "featuremyrefbit", "featurefcbit", "featureisabit", "featuresaybit", "featurestatebit", "featuretrybit", "hintfeaturemask", "ffspace", "process", "ffdecimal", "ffend", "gvgp", "gvflags", "gvnamehek", "svtype", "gvegv", "gvstash", "gvxpvgv", "svtpvgv", "svtpvlv", "super", "edit directly", "djgpp", "bitbucket", "perlsysinitbody", "perlioinit", "perlsystermbody", "w macros", "wexitstatus", "shpath", "mkdir", "rotl64", "rotl32", "rotate x", "rotr32", "can64bithash", "rotr64", "ivsize", "u8to16le", "rotluv", "rotruv", "sbox32maxlen", "plhashstate", "perlhash", "perl", "usehashseed", "perlseenhvfunch", "perlhashseed", "siphash24", "siphash13", "seed", "c program", "c type", "c compiler", "gcc attribute", "longsize", "c preprocessor", "install", "kill", "cont", "thus", "ext declspec", "dext", "for apidocitem", "utf8", "ascii", "fitsin8bits", "nativetolatin1", "strwithlen", "u8 end", "test", "poison", "february", "cray", "prior", "behaviour", "except", "alpha", "perlvar", "perlvari", "perlvara", "padoffset", "true", "pmop", "hooks", "hook", "sv invlist", "perlinregcompc", "svcur", "perlinopc", "tointernalsize", "svtinvlist", "invlistlen", "strlen", "hvaux", "heklen", "svook", "hekutf8", "hekkey", "hekflags", "mutablehv", "hvnameheknn", "gosh", "leave", "iperlsock", "plsock", "iperlstdio", "plstdio", "iperlproc", "plproc", "iperllio", "pllio", "perlimplicitsys", "plink", "keypackage", "keyend", "keysub", "keydump", "keylog", "keysend", "keystate", "perlioclose", "perlmemcollxfrm", "nativetoneed", "plclocaleobj", "plno", "plwarnall", "plwarnnone", "plyes", "plzero", "plc9utf8dfatab", "nomathoms", "perlintokec", "perlinutf8c", "perlinsvc", "perlinregexecc", "debugging", "perlinlocalec", "pfinet", "snoop", "ccprint", "ccgraph", "cccharnamecont", "ccascii", "ccwordchar", "ccalphanumeric", "ccidfirst", "ccquotemeta", "ccalpha", "cccased", "ordinal", "magicvtablemax", "extra", "regex match", "env hash", "isa array", "debugger", "sig hash", "available", "shadow", "array length", "magic mg", "sv sv", "mgftainteddir", "hefsvkey", "mutablesv", "ssizet", "mgvtbl entry", "mgfbytes", "perlmagicsv 0", "special", "perlmagicarylen", "perlmagicrhash", "extra data", "perlmagicpos", "perlmagicsymtab", "provides", "dtrace probes", "stdioh", "stdioincluded", "sfioversion", "rxfpmfcharset", "rxfpmfmultiline", "rxfpmffold", "rxfpmfextended", "rxfpmfnocapture", "rxfpmfkeepcopy", "flags", "rxfpmfstrict", "ocshift", "plop", "perlbitfield16", "baseop op", "useithreads", "pmfonce", "padop", "perlcknull", "perlckfun", "opparg1mask", "opparg4mask", "opparg2mask", "perlckftst", "perlppftrowned", "perlckbitop", "perlckcmp", "perlcklfun", "dump", "chroot", "syscall", "flip", "undef", "crypt", "push", "stub", "trans", "predec", "flop", "prtf", "shutdown", "perlcontext cx", "perlmemlog", "c pointer", "cxtype", "logic", "toavamg", "tohvamg", "opftrread", "oplt", "opincmp", "opbitand", "opsbitor", "opsend", "opgetpeername", "opfteexec", "opftbinary", "opclose", "plparser", "yylex", "lexshared", "position", "repl", "memsize", "malloct", "perlmallocctlh", "uv nfree", "uv ntotal", "iv topbucket", "iv totalsbrk", "iv minbucket", "level", "plcomppad", "plcurpad", "uvxf", "ptr2uv", "avarray", "padnameflags", "plcopseqmax", "padlistarray", "c array", "padnametype", "incpushperl5lib", "appllibexp", "privlibexp", "defineincmacros", "perlfsversion", "perl5lib", "sitearchexp", "perllanginfoh", "hasnllanginfo", "ilanginfo", "codeset", "codeset 1", "dtfmt", "dtfmt 2", "dfmt", "dfmt 3", "sipround", "u8to64le", "fallthrough", "uint64c", "perlsiphashfnc", "siprounds", "strlen inlen", "sipfinalrounds", "could", "configure", "plout", "mine001", "argv", "plin", "localpatchcount", "perlapih", "xs code", "portingglossary", "first version", "brand", "symbols", "haswcrtomb", "perlionotstdio", "perlcallconv", "perlio f", "perlioh", "usestdio", "case", "bufsiz", "sizet", "perlstability", "perltypedefs", "perldtracehin", "perlloadedfile", "perlloadingfile", "perlopentry", "perlphasechange", "perlsubentry", "perlsubreturn", "generated", "perlcallconv iv", "sizet count", "sv arg", "mode", "perliofuncs tab", "stdchar", "perliolistt", "sv args", "mutex", "perlinterpreter", "sigsize", "perlioisstdio", "perlcallconv op", "perldokv", "perlppaassign", "perlppabs", "perlppaccept", "perlppadd", "perlppaeach", "perlppaelem", "public license", "free software", "foundation", "yydebug", "bison", "bareword", "funcmeth", "arrow", "targ", "pushs", "tops", "does", "xsub", "pops", "xpushs", "erange", "perlreentrapi", "perlreentrapi0", "hostentsize", "getgrentrproto", "getpwentrproto", "getnetentrproto", "grentbuffer", "grentsize", "hostenterrno", "redebugflag", "debugvtest", "debugr", "u16 nextoff", "argset", "u8 type", "nextoff", "strings", "problem", "june", "invert", "perlfpclass", "longdoublekind", "plstatusvalue", "pldebug", "numclasses", "locale", "grok", "pragma", "dword", "attack", "little", "lynx", "done", "reany", "rxpextflags", "rxextflags", "checkpoint cp", "rxftaintedseen", "rxfcopydone", "plsavestackix", "plsavestack", "plsavestackmax", "ssmaxpush", "enter", "debugscope", "state", "u32 state", "debugsbox32hash", "sbox32warn5", "line", "mutexunlock", "mutexinit", "noop", "mutexlock", "condinit", "detach", "panic", "usetm64", "should", "bsd extension", "configuration", "time64debug", "int64t nv", "gnu extension", "perltime64h", "time64t", "int64t int64", "int64 time64t", "i32 year", "tm64", "hastmtmgmtoff", "decide", "svpvx", "svgmagic", "bonk", "anything", "turn", "crash", "fstat", "perlmicro", "hasioctl", "hasutime", "hasgroup", "haspasswd", "usemybinmode", "idirent", "likely", "generated code", "utfebcdic", "unicode", "step", "ufeff", "u00a0", "u00df", "u00b5", "ufffd", "u017f", "u0300", "unlikely", "nativeutf8toi8", "utf8skip", "nativetouni", "lazy", "extrasize", "regnodemax", "exact", "match", "whilem", "anyof", "curly", "trie", "curlym", "eval", "star", "perlutilh", "hsmapiverlen", "hsxsverlenmax", "hskeyp", "tools", "sv vs", "perlversionlt", "svpvxnolenconst", "perlckwarner", "u32 err", "scroakxsusage", "pluumap", "warnings", "categories", "plcurcop", "perlckwarn", "perlckwarnd", "perlwarnisset", "perlwarnoff", "perlwarnbit", "xsversion", "xsreturn", "perlxshandshake", "plstackbase", "hskey", "zaphod32mix", "u8to32le", "zaphod32warn4", "zaphod32warn3", "zaphod32warn6", "perlform", "i8tonativeutf8", "warnutf8", "myshift", "c extension", "libs", "cflags", "afkuserlog", "kafkeventcancel", "kafkeventerror", "adamsbagmanager", "adjinglerequest", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "hostconfig", "addtofront", "calcslope", "copyarray", "createcachenode", "defaultebecurve", "deletecache", "disablehcucache", "dumpcache", "dumpoutputhcu", "enablet1sim", "ascagent", "ascagentproxy", "asdevice", "ddrangecompare", "wdosloglauncher", "wdoslogprotocol", "findchar", "ddasllogger", "ddfilelogger", "ddlog", "ddlogfileinfo", "ddlogmessage", "ddloggernode", "mkurlparser", "mkerrordomain", "mkintegerhash", "mklonghash", "mkmaprectinset", "mkmaprectnull", "mkmaprectoffset", "mkmaprectworld", "mkmapsizeworld", "kextensionnonui", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webkit", "methodkind", "wkerrordomain", "by apple", "document", "a block", "wkcontentworld", "wkwebview", "javascript", "wkerrorcode", "wkerrorunknown", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "nshttpcookie", "whether", "wknavigation", "wkdownload", "decides", "mime type", "wkscriptmessage", "wkframeinfo", "information", "url scheme", "wkcontentmode", "wkuserscript", "wkextern", "media", "promise", "fulfill", "cgfloat", "targetoswatch", "sign", "password", "provider", "uicontrol", "nscontrol", "opaque user", "apple id", "nsstring user", "asuseragerange", "initiate", "asauthorization", "confirms", "apple upgrade", "nserrorenum", "operation", "relying party", "targetosvision", "a byte", "nsdata userid", "relying", "a string", "asapiavailable", "http response", "authorization", "oauth", "saml", "nsdata readdata", "bool didwrite", "a cose", "nsstring name", "bool appid", "targetosxr", "a state", "a json", "web token", "private seckeys", "nsstring appid", "mdm profile", "nsurl url", "returns yes", "lacontext", "asswiftsendable", "keychain", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nsinteger rank", "enables", "bool success", "remove", "call", "complete", "prepare", "attempt", "list", "nsextension", "settings", "initializes", "a key", "extensions", "hash", "json", "initialize", "nsstring origin", "settings app", "urls", "https urls", "safari", "cancel", "nsuuid uuid", "asextern extern", "asextern", "nsswiftsendable", "uiwindow", "propertykind", "gkplayer", "n tags", "gkerrordomain", "gamecenter", "targetosios", "targetostv", "nsavailable", "gkachievement", "local player", "view", "present", "optional", "gkbaseplayer", "game center", "uiimage", "app store", "gkchallenge", "gklocalplayer", "nsdeprecated", "a singleton", "gkcloudplayer", "returns nil", "nsdeprecatedmac", "internal2", "internal3", "internal4", "gkscore", "gkextern", "gkextern extern", "gkexternweak", "gkerrorcode", "gkerrorunknown", "gkerrorunderage", "friendplayer", "standard view", "nsresponder", "parentwindow", "ibaction", "gkgamesession", "apis", "gkplayer player", "nsinteger score", "nsdate date", "gkleaderboard", "connect", "nsinteger value", "load", "gktransporttype", "nsstring title", "loads array", "localized", "gkmatch", "gkmatchrequest", "gkinvite", "gksession", "gksession api", "gamekit", "asynchronously", "welcome", "nstimeinterval", "delegate", "delivery", "gksenddatamode", "gksessionmode", "gkphotosize", "callbacks", "gkmatchdelegate", "gksavedgame", "default value", "gksessionerror", "gkvoicechat", "participant", "voice chat", "clienta" ], "references": [ "CredentialsCache.h", "CredentialsCache2.h", "config.xml", "popen_spawn_win32.py", "pycore_condvar.h", "Kerberos.h", "KerberosLogin.h", "plugin.js", "krb5.h", "MultipeerConnectivity.tbd", "MCBrowserViewController.h", "MCNearbyServiceAdvertiser.h", "MCError.h", "MCAdvertiserAssistant.h", "MCNearbyServiceBrowser.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCPeerID.h", "canvas.html", "capture_0.bundle.js", "capture_resize.js", "GCRacingWheelInput.h", "GCSyntheticDeviceKeys.h", "GCSwitchPositionInput.h", "GCSteeringWheelElement.h", "GCSwitchElement.h", "GCTouchedStateInput.h", "GCXboxGamepad.h", "GCTypes.h", "GCRelativeInput.h", "GameController.h", "GCAxis2DInput.h", "GCAxisElement.h", "GCAxisInput.h", "GCButtonElement.h", "GCController.h", "GCColor.h", "GCControllerAxisInput.h", "GCControllerDirectionPad.h", "GCControllerInput.h", "GCControllerElement.h", "GCControllerTouchpad.h", "GCDevice.h", "GCDeviceBattery.h", "GCDeviceCursor.h", "GCDeviceHaptics.h", "GCDeviceLight.h", "GCDevicePhysicalInputState.h", "GCDevicePhysicalInputStateDiff.h", "GCDirectionalGamepad.h", "GCDirectionPadElement.h", "GCDevicePhysicalInput.h", "GCDualSenseAdaptiveTrigger.h", "GCDualSenseGamepad.h", "GCDualShockGamepad.h", "GCEventViewController.h", "GCExtendedGamepadSnapshot.h", "GCExtern.h", "GCExtendedGamepad.h", "GCGamepadSnapshot.h", "GCGearShifterElement.h", "GCGamepad.h", "GCKeyboard.h", "GCInputNames.h", "GCControllerButtonInput.h", "GCKeyNames.h", "GCKeyboardInput.h", "GCKeyCodes.h", "GCLinearInput.h", "GCMotion.h", "GCMouse.h", "GCMouseInput.h", "GCMicroGamepadSnapshot.h", "GCPhysicalInputElement.h", "GCMicroGamepad.h", "GCPhysicalInputProfile.h", "GCPhysicalInputSource.h", "GCPressedStateInput.h", "GCProductCategories.h", "GCRacingWheel.h", "GameController.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-macos.swiftinterface", "module.modulemap", "com_err.h", "gssapi_generic.h", "locate_plugin.h", "profile.h", "gssapi_krb5.h", "preauth_plugin.h", "gssapi.h", "alc.h", "oalStaticBufferExtension.h", "oalMacOSX_OALExtensions.h", "OpenAL.h", "al.h", "OpenAL.tbd", "IOUSBHost.tbd", "IOUSBHostCIEndpointStateMachine.h", "IOUSBHostCIControllerStateMachine.h", "IOUSBHost.h", "IOUSBHostCIPortStateMachine.h", "IOUSBHostCIDeviceStateMachine.h", "IOUSBHostControllerInterfaceHelpers.h", "IOUSBHostDevice.h", "IOUSBHostControllerInterface.h", "IOUSBHostDefinitions.h", "IOUSBHostInterface.h", "IOUSBHostIOSource.h", "AppleUSBDescriptorParsing.h", "IOUSBHostStream.h", "IOUSBHostObject.h", "IOUSBHostControllerInterfaceDefinitions.h", "IOUSBHostPipe.h", "IOBluetoothUIUserLib.h", "IOBluetoothUI.h", "IOBluetoothObjectPushUIController.h", "IOBluetoothDeviceSelectorController.h", "IOBluetoothPasskeyDisplay.h", "IOBluetoothPairingController.h", "IOBluetoothServiceBrowserController.h", "IOBluetoothUI.tbd", "Bluetooth.h", "IOBluetooth.h", "BluetoothAssignedNumbers.h", "IOBluetoothTypes.h", "IOBluetoothUtilities.h", "OBEXBluetooth.h", "IOBluetoothUserLib.h", "OBEX.h", "IOBluetooth.tbd", "INImage+IntentsUI.h", "IntentsUI.h", "INUIAddVoiceShortcutButton.h", "IntentsUI.apinotes", "INUIEditVoiceShortcutViewController.h", "INUIAddVoiceShortcutViewController.h", "LDAP.tbd", "OSvKernDSPLib.h", "cpu.h", "asm_help.h", "desc.h", "pio.h", "io.h", "sel.h", "reg_help.h", "tss.h", "table.h", "byte_order.h", "_limits.h", "_types.h", "_mcontext.h", "_param.h", "_endian.h", "arch.h", "cpuid_internal.h", "cpu_capabilities_public.h", "arm_features.inc", "endian.h", "locks.h", "limits.h", "atomic.h", "machine_cpuid.h", "memory_types.h", "pal_routines.h", "machine_routines.h", "param.h", "cpuid.h", "thread.h", "trap.h", "vmparam.h", "signal.h", "types.h", "AFKMemoryDescriptorOptions.h", "machine_machdep.h", "atm_types.h", "copyio.h", "_OSByteOrder.h", "crc.h", "Block.h", "OSBase.h", "OSByteOrder.h", "OSDebug.h", "OSMalloc.h", "OSAtomic.h", "OSReturn.h", "OSKextLib.h", "OSTypes.h", "version.h", "sysctl.h", "tree.h", "zconf.h", "zlib.h", "libkern.h", "kdp_callout.h", "kdp_en_debugger.h", "ipc_types.h", "krpc.h", "rpcv2.h", "xdr_subs.h", "nfs.h", "nfsproto.h", "bootp.h", "if_ether.h", "icmp6.h", "icmp_var.h", "igmp_var.h", "igmp.h", "in_pcb.h", "in_stat.h", "in_private.h", "in_arp.h", "in_var.h", "in_systm.h", "ip_var.h", "ip_icmp.h", "kpi_ipfilter.h", "ip6.h", "tcp_private.h", "ip.h", "tcp_timer.h", "tcp_fsm.h", "udp_var.h", "tcp_seq.h", "tcpip.h", "udp.h", "tcp_var.h", "tcp.h", "IOPCIFamilyDefinitions.h", "IOPCIDevice.iig", "PCIDriverKit.h", "IOPCIDevice.h", "audit_ioctl.h", "stdarg.h", "stdatomic.h", "stdbool.h", "stddef.h", "string.h", "stdint.h", "ptrauth.h", "math.h", "monotonic.h", "static_if.h", "machine_kpc.h", "machine_remote_time.h", "ipc_pthread_priority_types.h", "lz4_assembly_select.h", "vm_compressor_algorithms.h", "lz4.h", "pmap.h", "vm_dyld_pager.h", "vm_far.h", "vm_fault.h", "vm_map.h", "lz4_constants.h", "vm_options.h", "vm_pageout.h", "vm_memtag.h", "vm_shared_region.h", "vm_kern.h", "vfs_support.h", "vecLib.h", "vecLibTypes.h", "vBasicOps.h", "vForce.h", "vDSP.h", "uuid.h", "UNDReply.defs", "UNDRequest.defs", "KUNCUserNotifications.h", "UNDTypes.defs", "UNDTypes.h", "TargetConditionals.h", "apfs_boot_mount.tbd", "av.h", "cop.h", "bitcount.h", "cv.h", "ebcdic_tables.h", "EXTERN.h", "embedvar.h", "fakesdio.h", "feature.h", "form.h", "gv.h", "git_version.h", "dosish.h", "hv_macro.h", "hv_func.h", "config.h", "INTERN.h", "handy.h", "intrpvar.h", "invlist_inline.h", "hv.h", "iperlsys.h", "keywords.h", "libperl.tbd", "embed.h", "l1_char_class_tab.h", "mg_data.h", "mg_raw.h", "mg.h", "mg_vtable.h", "mydtrace.h", "nostdio.h", "op_reg_common.h", "op.h", "opcode.h", "inline.h", "overload.h", "opnames.h", "parser.h", "malloc_ctl.h", "pad.h", "perl_inc_macro.h", "perl_langinfo.h", "perl_siphash.h", "patchlevel.h", "perlapi.h", "metaconfig.h", "perlio.h", "perldtrace.h", "perliol.h", "perlvars.h", "perlsdio.h", "pp_proto.h", "perly.h", "pp.h", "reentr.h", "regcomp.h", "perl.h", "regexp.h", "scope.h", "sbox32_hash.h", "time64_config.h", "time64.h", "sv.h", "unixish.h", "uconfig.h", "utfebcdic.h", "unicode_constants.h", "utf8.h", "regnodes.h", "util.h", "vutil.h", "uudmap.h", "warnings.h", "XSUB.h", "zaphod32_hash.h", "encode.h", "python-3.9.pc", "python-3.9-embed.pc", "python3-embed.pc", "python3.pc", "AFKUser.tbd", "AdID.tbd", "Admin.tbd", "AirPlayReceiver.tbd", "AppSandbox.tbd", "ASEProcessing.tbd", "AuthenticationServicesCore.tbd", "WebGPU.tbd", "WebDriver.tbd", "MapKit.tbd", "SwiftUI.swiftoverlay", "WebKit.tbd", "WebKit.apinotes", "WKBackForwardList.h", "NSAttributedString.h", "WebKit.h", "WKBackForwardListItem.h", "WKContentRuleList.h", "WKContentRuleListStore.h", "WKContextMenuElementInfo.h", "WKDataDetectorTypes.h", "WKContentWorld.h", "WKError.h", "WKFoundation.h", "WKFindResult.h", "WKHTTPCookieStore.h", "WKFrameInfo.h", "WKNavigation.h", "WKFindConfiguration.h", "WKNavigationDelegate.h", "WKNavigationResponse.h", "WKOpenPanelParameters.h", "WebKitLegacy.h", "WKPreviewActionItem.h", "WKNavigationAction.h", "WKPreferences.h", "WKPreviewActionItemIdentifiers.h", "WKPreviewElementInfo.h", "WKProcessPool.h", "WKDownload.h", "WKPDFConfiguration.h", "WKScriptMessage.h", "WKSecurityOrigin.h", "WKScriptMessageHandler.h", "WKSnapshotConfiguration.h", "WKUIDelegate.h", "WKURLSchemeTask.h", "WKWebpagePreferences.h", "WKUserContentController.h", "WKWebsiteDataStore.h", "WKWebsiteDataRecord.h", "WKUserScript.h", "WKURLSchemeHandler.h", "WKWebViewConfiguration.h", "WKWebView.h", "WKScriptMessageHandlerWithReply.h", "WKWindowFeatures.h", "WKDownloadDelegate.h", "ASAccountAuthenticationModificationController.h", "ASAccountAuthenticationModificationViewController.h", "ASAuthorization.h", "ASAuthorizationAppleIDButton.h", "ASAccountAuthenticationModificationRequest.h", "ASAuthorizationAppleIDProvider.h", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "ASAuthorizationController.h", "ASAuthorizationCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "ASAuthorizationError.h", "ASAuthorizationCustomMethod.h", "ASAuthorizationPasswordRequest.h", "ASAuthorizationOpenIDRequest.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "ASAuthorizationProvider.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "ASAuthorizationPublicKeyCredentialConstants.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ASAuthorizationPasswordProvider.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASAuthorizationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "ASAuthorizationSingleSignOnCredential.h", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCOSEConstants.h", "ASCredentialIdentity.h", "ASAuthorizationSingleSignOnRequest.h", "ASCredentialIdentityStore.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "ASCredentialProviderExtensionContext.h", "ASCredentialProviderViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCredentialServiceIdentifier.h", "ASExtensionErrors.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASCredentialRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "ASPasskeyAssertionCredential.h", "ASPasskeyCredentialRequest.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "ASPasskeyRegistrationCredential.h", "ASPasswordCredential.h", "ASPublicKeyCredential.h", "ASPasskeyCredentialIdentity.h", "ASPublicKeyCredentialClientData.h", "ASSettingsHelper.h", "ASWebAuthenticationSessionCallback.h", "ASWebAuthenticationSession.h", "ASWebAuthenticationSessionRequest.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "AuthenticationServices.h", "ASFoundation.h", "AuthenticationServices.apinotes", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "ASPasswordCredentialIdentity.h", "ASPasswordCredentialRequest.h", "GameKit.apinotes", "GKAccessPoint.h", "GameKit.h", "GKAchievement.h", "GKAchievementViewController.h", "GKBasePlayer.h", "GKAchievementDescription.h", "GKChallengeEventHandler.h", "GKCloudPlayer.h", "GKChallengesViewController.h", "GKChallenge.h", "GKDefines.h", "GKError.h", "GKEventListener.h", "GKFriendRequestComposeViewController.h", "GKDialogController.h", "GKGameSessionEventListener.h", "GKGameSessionError.h", "GKGameCenterViewController.h", "GKGameSessionSharingViewController.h", "GKLeaderboardEntry.h", "GKLeaderboard.h", "GKLeaderboardScore.h", "GKGameSession.h", "GKLeaderboardSet.h", "GKLocalPlayer.h", "GKLeaderboardViewController.h", "GKMatch.h", "GKMatchmaker.h", "GKMatchmakerViewController.h", "GKPeerPickerController.h", "GKNotificationBanner.h", "GKPublicConstants.h", "GKPlayer.h", "GKPublicProtocols.h", "GKSavedGameListener.h", "GKScore.h", "GKSessionError.h", "GKVoiceChat.h", "GKTurnBasedMatchmakerViewController.h", "GKSession.h", "GKTurnBasedMatch.h", "GKSavedGame.h", "GKVoiceChatService.h" ], "public": 1, "adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "targeted_countries": [ "United States of America", "India", "Australia" ], "malware_families": [ { "id": "OSAtomic", "display_name": "OSAtomic", "target": null }, { "id": "OSReturn", "display_name": "OSReturn", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null }, { "id": "Internet", "display_name": "Internet", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1968, "domain": 526, "FileHash-SHA256": 207, "hostname": 972, "email": 55, "FileHash-SHA1": 9, "FileHash-MD5": 4, "CVE": 2, "CIDR": 10 }, "indicator_count": 3753, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6746eae02e409b017dfc3446", "name": "test", "description": "", "modified": "2024-11-27T09:49:56.893000", "created": "2024-11-27T09:48:16.350000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7079 }, "indicator_count": 12733, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746eada877212ce963923c4", "name": "test", "description": "", "modified": "2024-11-27T09:48:10.379000", "created": "2024-11-27T09:48:10.379000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72e166ce385bcf6a190", "name": "test", "description": "", "modified": "2024-11-27T09:32:30.359000", "created": "2024-11-27T09:32:30.359000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72528402d5f2b560f94", "name": "test", "description": "", "modified": "2024-11-27T09:32:21.842000", "created": "2024-11-27T09:32:21.842000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f7e75b22b226428b54", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.510000", "created": "2024-11-27T09:31:35.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f777858514fd47721b", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.336000", "created": "2024-11-27T09:31:35.336000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f6008916b47ddecc1b", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.682000", "created": "2024-11-27T09:31:34.682000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f69c42d60283e9aa0f", "name": "test", "description": "", "modified": "2024-11-27T09:31:34.344000", "created": "2024-11-27T09:31:34.344000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4be000f79eef564e0", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.861000", "created": "2024-11-27T09:31:32.861000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4e35efa94cb40610d", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.732000", "created": "2024-11-27T09:31:32.732000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4050558d7149be4f8", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.526000", "created": "2024-11-27T09:31:32.526000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f4dfcc3c6e3abf71e3", "name": "test", "description": "", "modified": "2024-11-27T09:31:32.026000", "created": "2024-11-27T09:31:32.026000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f1b272922f8975813f", "name": "test", "description": "", "modified": "2024-11-27T09:31:29.591000", "created": "2024-11-27T09:31:29.591000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6e2bc0c6a3bca869f4e", "name": "test", "description": "", "modified": "2024-11-27T09:31:14.131000", "created": "2024-11-27T09:31:14.131000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d7cdf7772c62155cc7", "name": "test", "description": "", "modified": "2024-11-27T09:31:03.357000", "created": "2024-11-27T09:31:03.357000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d634e8a45dcfcc52a1", "name": "test", "description": "", "modified": "2024-11-27T09:31:02.497000", "created": "2024-11-27T09:31:02.497000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d5d0add372df82b9ce", "name": "test", "description": "", "modified": "2024-11-27T09:31:01.001000", "created": "2024-11-27T09:31:01.001000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d4b38ef8a4f5dbd3fb", "name": "test", "description": "", "modified": "2024-11-27T09:31:00.510000", "created": "2024-11-27T09:31:00.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d311db88d04259103f", "name": "test", "description": "", "modified": "2024-11-27T09:30:59.961000", "created": "2024-11-27T09:30:59.961000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d386c7f4be942bd878", "name": "test", "description": "", "modified": "2024-11-27T09:30:59.831000", "created": "2024-11-27T09:30:59.831000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6d16bc55ef32a6d3ad1", "name": "test", "description": "", "modified": "2024-11-27T09:30:57.742000", "created": "2024-11-27T09:30:57.742000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6cffe9312f50b94ab69", "name": "test", "description": "", "modified": "2024-11-27T09:30:55.961000", "created": "2024-11-27T09:30:55.961000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6655a8f77482c5968024f361", "name": "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages", "description": "", "modified": "2024-06-27T09:01:15.628000", "created": "2024-05-28T09:50:47.616000", "tags": [ "primary article", "cybersecurity", "mythic", "poseidon agent", "pbors", "india", "globshell", "sparsh", "iso image", "pdf lure", "reference", "defense", "downloader", "execution", "python", "desktop", "discord", "april", "rust", "format", "virustotal", "media", "path", "winrar", "phishing", "project", "download", "reboot", "shell", "persistence", "capture", "import" ], "references": [ "https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 70, "FileHash-SHA256": 86, "URL": 33, "YARA": 1, "domain": 24, "hostname": 2 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503e2757924cd9f6f7a9611", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:57.815000", "created": "2023-09-15T04:49:57.815000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 7213, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "988 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6503e275ad0281f4ff3b1ebc", "name": "Network IOCs (Pulse Created by cnoscsoc@att.com)", "description": "", "modified": "2023-09-15T04:49:57.375000", "created": "2023-09-15T04:49:57.375000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "614e0dc583aa90bf2dd4ec91", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "988 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "LICENSE", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "2016-02-12 - A Look Into Fysbis- Sofacy\u2019s Linux Backdoor.pdf", "2016-02-12 - Security Alert- Mazar BOT \u2013 the Android Malware That Can Erase Your Phone.pdf", "2016-05-19 - Petya and Mischa for All! The RaaS Boom Expands to Include the Petya-Mischa Combo.pdf", "ASAuthorizationPasswordProvider.h", "virtual", "2016-08-10 - CryptXXX - CrypMIC \u2013 intensywnie dystrybuowany ransomware w ramach exploit-kit\u00f3w.pdf", "2016-06-25 - Rokku Ransomware shows possible link with Chimera.pdf", "2016-10-17 - \u2018DealersChoice\u2019 is Sofacy\u2019s Flash Player Exploit Platform.pdf", "IOPCIDevice.h", "UNDTypes.h", "ASEProcessing.tbd", "GCGamepadSnapshot.h", "math.h", "CredentialsCache.h", "2016-06-24 - Ani-Shell.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "INUIAddVoiceShortcutViewController.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "machine_machdep.h", "2016-09-28 - Belling the BEAR.pdf", "2016-09-05 - Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems.pdf", "_OSByteOrder.h", "2016-05-16 - Vietnamese Bank Blocks $1 Million SWIFT Heist.pdf", "2015-05-18 - TT Malware Log.pdf", "2016-02-17 - Russian Police Prevented Massive Banking Sector Cyber Attack.pdf", "IOBluetoothUIUserLib.h", "2015-01-21 - The DGA of Symmi.pdf", "GCPhysicalInputProfile.h", "Dissecting the malware in inocnation campaign.pdf", "kdp_callout.h", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "ASAccountAuthenticationModificationController.h", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "networks", "tcpip.h", "GCController.h", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "module.modulemap", "2015-08-12 - Islamic State Hacking Division.pdf", "IOUSBHostControllerInterface.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "auto_master", "custom-error.html", "Block.h", "GCMotion.h", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "2016-09-06 - Blatsting C&C Transcript.pdf", "Blue termite (1).pdf", "GCPhysicalInputSource.h", "GKScore.h", "Bookworm Trojan (1).pdf", "2016-02-02 - Vipasana ransomware new ransom on the block.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2016-12-22 - Tofsee Spambot features .ch DGA - Reversal and Countermesaures.pdf", "IOUSBHostIOSource.h", "vm_memtag.h", "vm_options.h", "WKDownload.h", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "protocols", "2016-12-14 - Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016.pdf", "ASAuthorizationProvider.h", "2016-11-09 - Down the H-W0rm Hole with Houdini\u2019s RAT.pdf", "rpc", "2016-09-13 - The curious case of BLATSTING's RSA implementation.pdf", "perl.h", "bashrc_Apple_Terminal", "gv.h", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "x86_64-apple-ios-macabi.swiftinterface", "canvas.html", "UNDTypes.defs", "locate_plugin.h", "Cisco HayStack.pdf", "ASAuthorizationPublicKeyCredentialRegistration.h", "2016-05-27 - Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks.pdf", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "2016-01-12 - The Magnificent FIN7- Revealing a Cybercriminal Threat Group.pdf", "if_ether.h", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "GKDialogController.h", "ASAuthorizationPasswordRequest.h", "GKFriendRequestComposeViewController.h", "GKSavedGame.h", "perlsdio.h", "2016-07-28 - Petya and Mischa For All Part II- They\u2019re Here\u2026.pdf", "2016-08-01 - CrowdStrike\u2019s New Methodology for Tracking eCrime.pdf", "Dino.pdf", "2016-06-11 - The Chinese Hackers in the Back Office.pdf", "afpovertcp.cfg", "2016-11-23 - Analysis- Ursnif - spying on your data since 2007.pdf", "GCKeyNames.h", "time64.h", "IOBluetoothUI.h", "2016-11-07 - Little Trickbot Growing Up- New Campaign.pdf", "2016-09-11 - BUZZDIRECTION- BLATSTING reloaded.pdf", "krb5.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "KerberosLogin.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "newsyslog.conf", "GCDeviceHaptics.h", "AppleFirmwareUpdate.tbd", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2016-06-02 - FastPOS- Quick and Easy Credit Card Theft.pdf", "encode.h", "2016-07-20 - CrypMIC Ransomware Wants to Follow CryptXXX\u2019s Footsteps.pdf", "autofs.conf", "BluetoothAssignedNumbers.h", "zaphod32_hash.h", "ebcdic_tables.h", "intrpvar.h", "ASWebAuthenticationSession.h", "ASAuthorizationRequest.h", "2016-04-21 - PoS Attacks Net Crooks 20 Million Stolen Bank Cards.pdf", "GameKit.apinotes", "vmparam.h", "Operation Blockbuster Ex Summary.pdf", "2016-08-23 - Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "GCSteeringWheelElement.h", "2016-07-08 - Investigating the LuminosityLink Remote Access Trojan Configuration.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2016-05-15 - What We Can Learn From the Bangladesh Central Bank Cyber Heist.pdf", "2016-09-13 - DualToy- New Windows Trojan Sideloads Risky Apps to Android and iOS Devices.pdf", "Behind the syria conflict.pdf", "ttys", "stdarg.h", "dosish.h", "ASAuthorizationSingleSignOnCredential.h", "stdatomic.h", "2015-07-30 - Sakula Malware Family.pdf", "ASAuthorizationCustomMethod.h", "zshrc", "IntentsUI.h", "2015-06-17 - The Spring Dragon APT.pdf", "2016-07-22 - Stampado Ransomware campaign decrypted before it Started.pdf", "2016-09-14 - BkSoD by Ransomware- HDDCryptor Uses Commercial Tools to Encrypt Network Shares and Lock HDDs.pdf", "2016-02-17 - OceanLotus for OS X \u2013 an Application Bundle Pretending to be an Adobe Flash Update.pdf", "GKLocalPlayer.h", "2015-04-15 - Betabot retrospective.pdf", "WKWindowFeatures.h", "2016-08-22 - Trojan.Mutabaha.1.pdf", "Dukes.pdf", "GKCloudPlayer.h", "op.h", "2016-04-01 - Petya \u2013 Taking Ransomware To The Low Level.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2016-05-17 - Indian organizations targeted in Suckfly attacks.pdf", "ASPasskeyRegistrationCredential.h", "ASPasswordCredentialRequest.h", "content-negotiation.html", "types.h", "malloc_ctl.h", "2016-08-29 - Nightmare on Tor Street- Ursnif variant Dreambot adds Tor functionality.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2016-03-06 - Network detector for Winnti malware.pdf", "2016-04-26 - Digging deep for PLATINUM.pdf", "WKPreviewElementInfo.h", "APT-C-09 (2).pdf", "IOBluetoothTypes.h", "2016-05-02 - Prince of Persia Hashes.pdf", "2016-04-28 - Tick cyberespionage group zeros in on Japan.pdf", "paths", "vm_kern.h", "Black Energy APT.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "pal_routines.h", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "rpcv2.h", "pmap.h", "2016-08-16 - Aveo Malware Family Targets Japanese Speaking Users.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "op_reg_common.h", "2016-03-21 - OS X Malware Samples Analyzed.pdf", "OSAtomic.h", "2016-03-10 - Death Comes Calling- Thanatos-Alphabot Trojan Hits the Market.pdf", "shells", "managedPolicies.csv", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "certificates.csv", "2016-06-09 - Reverse-engineering DUBNIUM.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2016-07-26 - Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan.pdf", "mg.h", "2015-07-31 - OTX Pulse on PlugX.pdf", "2016-11-30 - Bladabindi Remains A Constant Threat By Using Dynamic DNS Services.pdf", "version.h", "WKNavigationResponse.h", "GKTurnBasedMatch.h", "caching.html", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "A tale of two targets.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2016-01-24 - Scarlet Mimic- Years-Long Espionage Campaign Targets Minority Activists.pdf", "2016-10-10 - Remsec driver analysis - Part 2.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2016-10-31 - Second Shadow Brokers dump released.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "CredentialsCache2.h", "attack delivers 9002 trojan through google drive.pdf", "GKPublicConstants.h", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "vm_fault.h", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "nfs.conf", "2016-04-07 - FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen.pdf", "2016-02-26 - Nymaim Moves Past Its Ransomware Roots - What Is Old Is New Again.pdf", "2016-11-10 - Floki Bot and the stealthy dropper.pdf", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "GCSyntheticDeviceKeys.h", "ip6.h", "GKAchievement.h", "zlib.h", "2016-03-01 - Shrouded Crossbow Creators Behind BIFROSE for UNIX.pdf", "2016-05-29 - Keep Calm and (Don\u2019t) Enable Macros- A New Threat Actor Targets UAE Dissidents.pdf", "2016-10-03 - Polyglot \u2013 the fake CTB-locker.pdf", "rc.netboot", "regnodes.h", "2016-05-03 - A Universal Windows Bootkit.pdf", "2016-12-09 - Now Mirai Has DGA Feature Built in.pdf", "2016-10-03 - On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users.pdf", "GCTouchedStateInput.h", "2016-02-18 - New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom.pdf", "2016-03-25 - ProjectM- Link Found Between Pakistani Actor and Operation Transparent Tribe.pdf", "2016-12-26 - Rocket Kitten.pdf", "2016-08-08 - MONSOON - Analysis Of An APT Campaign.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "GKGameSessionSharingViewController.h", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "ASPasswordCredentialIdentity.h", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "WKScriptMessageHandlerWithReply.h", "2016-11-22 - Cobalt hackers executed massive, synchronized ATM heists across Europe, Russia.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2016-03-01 - Look Into Locky Ransomware.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2016-01-28 - BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents.pdf", "2016-03-15 - Suckfly- Revealing the secret life of your code signing certificates.pdf", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "Goldfish Phishing.pdf", "ASCredentialRequest.h", "_limits.h", "byte_order.h", "GKGameSession.h", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "perldtrace.h", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "etcHosts.csv", "2016-02-03 - Emissary Trojan Changelog- Did Operation Lotus Blossom Cause It to Evolve-.pdf", "inline.h", "2016-03-30 - Ransomware Deployed by Adversary with Established Foothold.pdf", "2016-04-08 - CryptoHost Decrypted Locks files in a password protected RAR File.pdf", "2016-06-03 - Cooking Up Autumn (Herbst) Ransomware.pdf", "WKDownloadDelegate.h", "trap.h", "2016-10-03 - Remsec driver analysis.pdf", "GKAchievementDescription.h", "GKSession.h", "2016-02-24 - Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group.pdf", "2016-10-24 - Introducing TrickBot, Dyreza\u2019s successor.pdf", "scope.h", "UNDReply.defs", "2016-08-04 - Iran Threats Webpage.pdf", "main.cf", "2016-07-08 - GootKit- Bobbing and Weaving to Avoid Prying Eyes.pdf", "2016-05-09 - PSEUDO-DARKLEECH ANGLER EK FROM 185.118.66.154 SENDS BEDEP-CRYPTXXX.pdf", "ASWebAuthenticationSessionRequest.h", "2016-06-22 - After Angler- Shift in Exploit Kit Landscape and New Crypto-Ransomware Activity.pdf", "tss.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "2016-09-20 - Hackers lurking, parliamentarians told _ News _ DW _ 20.09.2016.pdf", "thread.h", "keywords.h", "GCAxisElement.h", "GCDeviceLight.h", "perly.h", "2016-01-26 - URLZone Zones in on Japan.pdf", "desc.h", "WebDriver.tbd", "GCExtendedGamepadSnapshot.h", "2016-03-29 - Taiwan targeted with new cyberespionage back doorTrojan.pdf", "iperlsys.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "python-3.9-embed.pc", "GKLeaderboard.h", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2016-02-05 - Vawtrak and UrlZone Banking Trojans Target Japan.pdf", "ASCredentialIdentityStoreState.h", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "GKPlayer.h", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2016-10-27 - BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List.pdf", "2016-10-01 - \u2018Shadow Brokers\u2019 Whine That Nobody Is Buying Their Hacked NSA Files.pdf", "pf.os", "ipc_types.h", "2016-08-04 - Iranian Actor -Group5- Targeting Syrian Opposition.pdf", "2016-09-19 - Untangling the Ripper ATM Malware.pdf", "perlapi.h", "ldap.h", "vDSP.h", "man.conf", "perlvars.h", "ASSettingsHelper.h", "ip_icmp.h", "WKBackForwardList.h", "ASAuthorizationSingleSignOnRequest.h", "2016-08-25 - Unpacking the spyware disguised as antivirus.pdf", "WKSecurityOrigin.h", "launchagents.txt", "WKWebsiteDataRecord.h", "users.csv", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "ASExtensionErrors.h", "index.html.en", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2016-04-13 - Ghosts in the Endpoint.pdf", "2016-08-08 - Doctor Web detected Linux Trojan written in Go.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "IOBluetoothUI.tbd", "2016-05-19 - Petya and Mischa \u2013 Ransomware Duet (Part 1).pdf", "MCError.h", "_types.h", "stdbool.h", "tcp_seq.h", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "audit_ioctl.h", "gettytab", "patchlevel.h", "2016-07-07 - New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware..pdf", "2016-06-14 - CVE-2016-4171 \u2013 Adobe Flash Zero-day used in targeted attacks.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2016-05-23 - DMA Locker 4.0- Known ransomware preparing for a massive distribution.pdf", "2016-09-21 - KrebsOnSecurity Hit With Record DDoS.pdf", "2016-04-05 - SCADA Security Report 2016.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2016-05-06 - 7ev3n ransomware turning \u2018HONE$T\u2019.pdf", "2016-06-15 - Unsupported TeamViewer Versions Exploited For Backdoors, Keylogging.pdf", "WKOpenPanelParameters.h", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "WKFindResult.h", "2016-07-12 - Me and Mr. Robot- Tracking the Actor Behind the MAN1 Crypter.pdf", "OSTypes.h", "AdID.tbd", "2016-05-03 - The Continuing Evolution of Samas Ransomware.pdf", "2016-08-29 - Fantom ransomware impersonates Windows update.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "GCDualSenseAdaptiveTrigger.h", "tcp_timer.h", "preauth_plugin.h", "IOUSBHostInterface.h", "Casper Malware.pdf", "GKLeaderboardSet.h", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "GCDirectionalGamepad.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "OSDebug.h", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "OpenAL.h", "2016-10-17 - A Tale of Two Targets.pdf", "2016-11-21 - Android malware analysis with Radare- Dissecting the Triada Trojan.pdf", "2016-09-01 - TADAQUEOUS moments.pdf", "ASAuthorizationSingleSignOnProvider.h", "in_var.h", "2016-07-12 - Malware Discovered \u2013 SFG- Furtim Malware Analysis.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "systemControls.csv", "GCRelativeInput.h", "OpenAL.tbd", "kern_loader.conf", "2016-03-24 - Maktub Locker \u2013 Beautiful And Dangerous.pdf", "2016-05-11 - Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks.pdf", "cpu_capabilities_public.h", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "feature.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "gssapi.h", "hv.h", "irbrc", "git_version.h", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2016-10-25 - Houdini\u2019s Magic Reappearance.pdf", "GCRacingWheel.h", "Trojan Skelky.pdf", "IOBluetoothUtilities.h", "2016-10-15 - TrickBot- We Missed you, Dyre.pdf", "2016-01-21 - Android Spywaller- Firewall-Style Antivirus Blocking.pdf", "INImage+IntentsUI.h", "2016-07-01 - How I Cracked a Keylogger and Ended Up in Someone's Inbox.pdf", "tree.h", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2016-12-08 - Thyssenkrupp victim of cyber attack.pdf", "2016-07-21 - Canadian Man Behind Popular \u2018Orcus RAT\u2019.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2016-01-13 - Russian group behind 2013 Foreign Ministry hack.pdf", "2016-10-05 - FastPOS Updates in Time for the Retail Sale Season.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "vutil.h", "form.h", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-09-01 - Fancy Bear.pdf", "MultipeerConnectivity.apinotes", "2016-01-18 - Updated Blackmoon banking Trojan stays focused on South Korean banking customers.pdf", "MultipeerConnectivity.tbd", "2016-06-15 - Mofang- A politically motivated information stealing adversary.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "MCNearbyServiceBrowser.h", "applications.csv", "x86_64-apple-macos.swiftinterface", "vm_shared_region.h", "GKDefines.h", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "OSReturn.h", "GCDeviceCursor.h", "tcp_fsm.h", "sharingPreferences.csv", "2015-07-14 - BernhardPOS.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "2016-08-16 - Brazil Can\u2019t Catch a Break- After Panda Comes the Sphinx.pdf", "GCGearShifterElement.h", "arm_features.inc", "2016-01-22 - Sykipot APT Malware.pdf", "2016-10-25 - TrickBot Banker Insights.pdf", "vForce.h", "custom_header_checks", "CodeResources", "2016-08-11 - Smrss32 (.encrypted) Ransomware Help & Support - _HOW_TO_Decrypt.bmp.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "dbd_xsh.h", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "rmtab", "2016-02-24 - The DGA of Qakbot.T.pdf", "2015-09-12 - Stuxnet code.pdf", "Operation Dust Storm.pdf", "asl.conf", "2016-12-28 - Switcher- Android joins the \u2018attack-the-router\u2019 club.pdf", "WKUserContentController.h", "arm64e-apple-macos.swiftinterface", "2016-10-27 - In-Dev Ransomware forces you do to Survey before unlocking Computer.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "GameController.h", "WKBackForwardListItem.h", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "OSMalloc.h", "2016-02-09 - DMA Locker Strikes Back.pdf", "_mcontext.h", "2016-11-09 - Tricks of the Trade- A Deeper Look Into TrickBot\u2019s Machinations.pdf", "cop.h", "2016-10-21 - BITTER- a targeted attack against Pakistan.pdf", "2016-10-28 - zxshell repository.pdf", "2016-02-29 - The \u201cHawkEye\u201d attack- how cybercrooks target small businesses for big money.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "main.cf.proto", "Wild Neutron.pdf", "2016-11-15 - CryptoLuck Ransomware being Malvertised via RIG-E Exploit Kits.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "IOUSBHostCIDeviceStateMachine.h", "profile", "2016-09-08 - The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals.pdf", "2016-03-18 - Xor DDoS.pdf", "SwiftUI.swiftoverlay", "sudo_lecture", "IOBluetoothPairingController.h", "IOUSBHostPipe.h", "user_launchagents.txt", "IOUSBHostControllerInterfaceDefinitions.h", "parser.h", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "2016-09-23 - Dissecting a Hacktivist\u2019s DDoS Tool- Saphyra Revealed.pdf", "2016-05-13 - Cyber Heist Attribution.pdf", "BBSRAT Roaming Tiger.pdf", "TargetConditionals.h", "WKSnapshotConfiguration.h", "2016-03-23 - SamSam- The Doctor Will See You, After He Pays The Ransom.pdf", "rc.common", "IOPCIDevice.iig", "ASCOSEConstants.h", "Houdini.s.Magic.Reappearance.pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "udp_var.h", "ASAuthorizationAppleIDRequest.h", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "GCDevicePhysicalInputState.h", "sv.h", "reentr.h", "mydtrace.h", "python-3.9.pc", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "resolv.conf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "Dust Storm Infographic.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "endian.h", "GKGameSessionEventListener.h", "libperl.tbd", "2016-01-01 - Die erste Ransomware in JavaScript- Ransom32.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2016-01-09 - Confirmation of a Coordinated Attack on the Ukrainian Power Grid.pdf", "GCSwitchElement.h", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "pp.h", "asm_help.h", "2016-07-11 - When Paying Out Doesn't Pay Off.pdf", "IOUSBHost.tbd", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "2016-09-17 - A few notes on SECONDDATE's C&C protocol.pdf", "GKError.h", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "profile.h", "crc.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2016-12-20 - New Linux-Rakos threat- devices and servers under SSH scan (again).pdf", "IOUSBHostCIPortStateMachine.h", "2016-11-08 - Analysis of IOS.GUIINJECT Adware Library.pdf", "IOBluetoothDeviceSelectorController.h", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "sudoers", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2016-09-13 - H1N1- Technical analysis reveals new capabilities.pdf", "2016-06-07 - The Story of yet another ransom-fail-ware.pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "ASFoundation.h", "2016-11-17 - It\u2019s Parliamentary - KeyBoy and the targeting of the Tibetan Community.pdf", "2016-08 - Analysis of a packed Pony downloader.pdf", "lz4_assembly_select.h", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "ASAccountAuthenticationModificationRequest.h", "bootp.h", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "krpc.h", "2016-04-11 - Manamecrypt \u2013 a ransomware that takes a different route.pdf", "2016-09-28 - Confucius Says\u2026Malware Families Get Further By Abusing Legitimate Websites.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2016-06-17 - Operation Daybreak.pdf", "handy.h", "embed.h", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2016-08-10 - Android Marcher- Continuously Evolving Mobile Malware.pdf", "memory_types.h", "2016-12-19 - Dismantling a Nuclear Bot.pdf", "2016-08-07 - Strider- Cyberespionage group turns eye of Sauron on targets.pdf", "Agent.BTZ to ComRAT.pdf", "MCAdvertiserAssistant.h", "GCButtonElement.h", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "hook_op_check.h", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "tcp_var.h", "MCNearbyServiceAdvertiser.h", "2016-07-01 - KeyBase - A New Keylogger on the Block.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "opcode.h", "utfebcdic.h", "2016-11-14 - Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2016-09-09 - GOVRAT V2.0 - Attacking US military and government.pdf", "2016-09-20 - Hackers lurking, parliamentarians told.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2016-09-27 - Komplex Mac backdoor answers old questions.pdf", "MCBrowserViewController.h", "2015-08-19 - Antak WebShell.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "static_if.h", "WKContentWorld.h", "WKUserScript.h", "2016-08-08 - Possibly Italy-Born Android RAT Reported in China, Find Bitdefender Researchers.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2016-06-23 - POS and Credit Cards- In the Line of Fire with \u201cPunkeyPOS\u201d.pdf", "Apt 28 (2).pdf", "unixish.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "master.cf.default", "monotonic.h", "ASAuthorizationAppleIDCredential.h", "preboot_archive_errors.log", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "China Peace Palace.pdf", "2016-12-06 - Deep Analysis of the Online Banking Botnet TrickBot.pdf", "in_private.h", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "warnings.h", "Aveo.pdf", "2016-11-08 - SPAMTORTE VERSION 2- DISCOVERY OF AN ADVANCED, MULTILAYERED SPAMBOT CAMPAIGN THAT IS BACK WITH A VENGEANCE.pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "AppleUSBDescriptorParsing.h", "2016-07-31 - China 1937CN Team Hackers Attack Airports in Vietnam.pdf", "APT C 03.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "WebKit.h", "in_systm.h", "2015-02-20 - The DGAs of Necurs.pdf", "2016-04-28 - Research Spotlight- The Resurgence of Qbot.pdf", "OSByteOrder.h", "GCProductCategories.h", "mg_raw.h", "IOUSBHostDefinitions.h", "IOBluetoothServiceBrowserController.h", "GKGameSessionError.h", "chromeExtensions.csv", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2016-07-25 - Patchwork cyberespionage group expands targets from governments to wide range of industries.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "regcomp.h", "2016-06 - Form Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world.pdf", "2016-05-12 - Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck.pdf", "interfaceAddrs.csv", "Duke cloud Linux (1).pdf", "2015-11-16 - Introducing LogPOS.pdf", "udp.h", "GCDeviceBattery.h", "vm_far.h", "AirPlayReceiver.tbd", "Animals in the APT Farm.pdf", "config.xml", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "perl_siphash.h", "machine_routines.h", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2016-10-18 - Digitally Signed Malware Targeting Gaming Companies.pdf", "2016-02-19 - Citadel 0.0.1.1 (Atmos).pdf", "GKSessionError.h", "GCAxisInput.h", "TLS_LICENSE", "OSKextLib.h", "mg_data.h", "2016-03-11 - Cerber ransomware- new, but mature.pdf", "2016-12-16 - Bayrob- Three suspects extradited to face charges in US.pdf", "2016-04-22 - Tater- A PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit..pdf", "MCSession.h", "GKSavedGameListener.h", "config.h", "GCDualSenseGamepad.h", "igmp_var.h", "WKPreferences.h", "ASAuthorizationController.h", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "PCIDriverKit.h", "pad.h", "AuthenticationServicesCore.tbd", "IOUSBHostObject.h", "2016-07-06 - New OSX-Keydnap malware is hungry for credentials.pdf", "2016-02-02 - DMA Locker- New Ransomware, But No Reason To Panic.pdf", "2015-02-15 - Carbanak.pdf", "2015-08-18 - ransomware open-sources.pdf", "sipConfig.csv", "bitcount.h", "locate.rc", "IOBluetoothUserLib.h", "2016-01-23 - Imminent Monitor 4 RAT Analysis \u2013 A Glance.pdf", "hv_func.h", "ASPasskeyAssertionCredential.h", "2016-09-29 - Want Tofsee My Pictures- A Botnet Gets Aggressive.pdf", "in_stat.h", "2016-02-22 - Russian bank employees received fake job offers in targeted email attack.pdf", "l1_char_class_tab.h", "time64_config.h", "Attacks on France TV5 Monde.pdf", "ASAuthorizationError.h", "2016-06-23 - Tracking Elirks Variants in Japan- Similarities to Previous Attacks.pdf", "GCInputNames.h", "IOUSBHost.h", "GKMatch.h", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "security_status.txt", "syslog.conf", "ntp.conf", "APT CVE-2015-5119.pdf", "manpaths", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "INUIAddVoiceShortcutButton.h", "2015-11-04 - A Technical Look At Dyreza.pdf", "oalStaticBufferExtension.h", "2016-04-19 - MULTIGRAIN \u2013 Point of Sale Attackers Make an Unhealthy Addition to the Pantry.pdf", "2016-11-02 - Exposing the EGO MARKET- the cybercrime performed by the Linux-Moose botnet.pdf", "fakesdio.h", "2016-05-09 - KRBanker Targets South Korea Through Adware and Exploit Kits.pdf", "2016-06-25 - SectorC08- Multi-Layered SFX in Recent Campaigns Target Ukraine.pdf", "APT-C-15.pdf", "GKChallengeEventHandler.h", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "util.h", "2016-04-06 - Bootkit's development overview and trend (X).pdf", "ASPasskeyCredentialRequestParameters.h", "WebKitLegacy.h", "2016-10-17 - RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT.pdf", "string.h", "2016-05-02 - Prince of Persia- Infy Malware Active In Decade of Targeted Attacks.pdf", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "vfs_support.h", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "2015-11-02 - Troj-Cryakl-B.pdf", "2016-05-22 - Cron has fallen.pdf", "2016-12-27 - ANALYSIS OF AUGUST STEALER MALWARE.pdf", "transport", "AuthenticationServices.apinotes", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2016-08-05 - Smoke Loader \u2013 downloader with a smokescreen still alive.pdf", "2016-12-01 - Alert (TA16-336A)- Avalanche (crimeware-as-a-service infrastructure).pdf", "GCXboxGamepad.h", "ASAccountAuthenticationModificationViewController.h", "kexts.txt", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "configuring.html", "Bluetooth.h", "2016-11-17 - Princess Locker decryptor.pdf", "WKContentRuleListStore.h", "2016-09-20 - Meanwhile in Britain, Qadars v3 Hardens Evasion, Targets 18 UK Banks.pdf", "2015-03-28 - UACME.pdf", "lz4_constants.h", "2016-12-13 - The rise of TeleBots- Analyzing disruptive KillDisk attacks.pdf", "capture_resize.js", "GCControllerElement.h", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "generic", "2016-09-08 - Doctor Web discovers Linux Trojan written in Rust.pdf", "GCAxis2DInput.h", "2016-02-09 - Chinese Cyberspies Pivot To Russia In Wake Of Obama-Xi Pact.pdf", "GKEventListener.h", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "vm_map.h", "2016-10-27 - Inside the Gootkit C&C server.pdf", "Black Energy.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2016-01-21 - NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan.pdf", "passwd", "2016-07-14 - Technical Notes on Sakula.pdf", "2016-04-27 - Freezer Paper around Free Meat (Repackaging Open Source BeEF for Tracking and More).pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "locks.h", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "usbDevices.csv", "2016-12-23 - Emsisoft Decryptor for GlobeImposter.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "GCExtendedGamepad.h", "2016-05-23 - Technical Report about the Malware used in the Cyberespionage against RUAG.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "IOUSBHostCIEndpointStateMachine.h", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2016-12-29 - Some notes on IoCs.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2016-12-07 - The TrickBot Evolution.pdf", "perliol.h", "WKContentRuleList.h", "2016-09-11 - Free Darktrack RAT Has the Potential of Being the Best RAT on the Market Search.pdf", "param.h", "2016-03-14 - Massive Malvertising Campaign in US Leads to Angler Exploit Kit-BEDEP.pdf", "2016-09-22 - Book of Eli- African targeted attacks.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2016-07-18 - Third time (un)lucky \u2013 improved Petya is out.pdf", "kpi_ipfilter.h", "com.apple.screensharing.agent.launchd", "_param.h", "WKURLSchemeHandler.h", "2016-01-29 - VB2015 paper- It's A File Infector... It\u2019s Ransomware... It's Virlock.pdf", "2016-06-21 - The Curious Case of an Unknown Trojan Targeting German-Speaking Users.pdf", "2016-10-10 - How France's TV5 was almost destroyed by 'Russian hackers'.pdf", "2016-06-17 - In The Wild- Mobile Malware Implements New Features.pdf", "APT 28.pdf", "GKGameCenterViewController.h", "GCMouse.h", "WKWebsiteDataStore.h", "canonical", "2016-11-28 - A New All-in-One Botnet- Proteus.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "MCPeerID.h", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2016-08-19 - New Hancitor Malware- Pimp my Downloaded.pdf", "2021-09-21-Curriculo-IOCs.txt", "ASPasskeyCredentialIdentity.h", "2016-11-01 - Ursnif Malware- Deep Technical Dive.pdf", "GKAchievementViewController.h", "ASPasskeyCredentialRequest.h", "2016-10-20 - TheMoon - A P2P botnet targeting Home Routers.pdf", "2016-12-07 - Floki Bot Strikes, Talos and Flashpoint Respond.pdf", "cv.h", "GKMatchmakerViewController.h", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "nfsproto.h", "IOUSBHostStream.h", "2016-09-16 - Tofsee \u2013 modular spambot.pdf", "GKNotificationBanner.h", "gssapi_generic.h", "OSvKernDSPLib.h", "dbixs_rev.h", "GKChallenge.h", "2016-07-26 - Attack Delivers \u20189002\u2019 Trojan Through Google Drive.pdf", "2016-10-09 - SiteIntel- Cyber Caliphate Army.pdf", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "process_list.txt", "GKTurnBasedMatchmakerViewController.h", "AFKUser.tbd", "2016-06-06 - Everyone sees not what they want to see.pdf", "2016-01-29 - From Linux to Windows \u2013 New Family of Cross-Platform Desktop Backdoors Discovered.pdf", "sbox32_hash.h", "GKBasePlayer.h", "2016-11-02 - Linux-Moose- Still breathing.pdf", "MapKit.tbd", "GCMicroGamepadSnapshot.h", "IntentsUI.apinotes", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "AFKMemoryDescriptorOptions.h", "2016-05-12 - Chinese-language Ransomware \u2018SHUJIN\u2019 Makes An Appearance.pdf", "command_args.json", "2016-06-10 - Petya and Mischa- ransomware duet (part 2).pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2016-05-20 - Special Report- Cyber thieves exploit banks' faith in SWIFT transfer network.pdf", "uuid.h", "2016-08-08 - Strider- Cyberespionage group turns eye of Sauron on targets.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2016-02-21 - Source code for powerful Android banking malware is leaked.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "APT group ups targets us gov.pdf", "ipc_pthread_priority_types.h", "XSUB.h", "2016-04-14 - Meet GozNym- The Banking Malware Offspring of Gozi ISFB and Nymaim.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2016-04-25 - Attackers Behind GozNym Trojan Set Sights on Europe.pdf", "dbi_sql.h", "AppSandbox.tbd", "zshrc_Apple_Terminal", "2016-11-22 - Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy.pdf", "ASAuthorizationAppleIDProvider.h", "2016-10-04 - OilRig Malware Campaign Updates Toolset and Expands Targets.pdf", "kernel.csv", "GCControllerButtonInput.h", "GCLinearInput.h", "kdp_en_debugger.h", "machine_kpc.h", "2016-12-29 - GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity.pdf", "IOBluetooth.tbd", "2016-12-14 - MiKey - A Linux keylogger.pdf", "2016-03-23 - Gozi ISFB Sourceccode.pdf", "ASWebAuthenticationSessionCallback.h", "2016-09-20 - Inside Petya and Mischa ransomware.pdf", "2016-11-28 - NetWire RAT Steals Payment Card Data.pdf", "2016-07-03 - Android Triada modular trojan.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "signal.h", "2016-08-17 - Operation Ghoul- targeted attacks on industrial and engineering organizations.pdf", "2016-11-30 - Shamoon 2- Return of the Disttrack Wiper.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "GKPublicProtocols.h", "plugin.js", "2016-06-15 - Bears in the Midst- Intrusion into the Democratic National Committee.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "Demonstrating Hustle.pdf", "WKScriptMessageHandler.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "IOUSBHostControllerInterfaceHelpers.h", "arch.h", "2015-03-10 - The DGA of Pykspa.pdf", "find.codes", "WKFrameInfo.h", "sharedFolders.csv", "lber.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "2016-04-06 - Locky Ransomware Is Becoming More Sophisticated - Cybercriminals Continue Email Campaign Innovation.pdf", "ASAuthorizationCredential.h", "2016-07-08 - The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region.pdf", "bashrc", "diskEncryption.csv", "machine_remote_time.h", "2016-02-14 - PadCrypt The first ransomware with Live Support Chat and an Uninstaller.pdf", "WKFindConfiguration.h", "2016-11-02 - Nymaim Malware- Deep Technical Dive \u2013 Adventures in Evasive Malware.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "ASAuthorizationPublicKeyCredentialConstants.h", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "atm_types.h", "2016-09-16 - iSpy Keylogger.pdf", "2016-09-28 - Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware.pdf", "Bears in the Midst Intrusion into the Democratic National Committee \u00bb.pdf", "Admin.tbd", "DBIXS.h", "WebGPU.tbd", "2016-10-11 - Remsec driver analysis - Part 3.pdf", "2016-03-18 - Teslacrypt Spam Campaign- \u201cUnpaid Issue\u2026\u201d.pdf", "2016-06-28 - Prince of Persia \u2013 Game Over.pdf", "2016-08-04 - What is Multigrain- Learn what makes this PoS malware different.pdf", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "2015-03-06 - Animals in the APT Farm.pdf", "master.cf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors", "makedefs.out", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "Duqu 2.0 Yara rules.pdf", "2016-03-11 - Gaudox - HTTP Bot (1.1.0.1) - C++-ASM - Ring3 Rootkit - Watchdog - Antis.pdf", "2016-01-29 - Malicious Office Files Dropping Kasidet And Dridex.pdf", "systemInfo.csv", "2015-01-11 - The Mozart RAM Scraper.pdf", "GKMatchmaker.h", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2016-03-07 - RedHat Hacker.asp.pdf", "2016-02-29 - New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan.pdf", "perlio.h", "launchD.csv", "GKVoiceChatService.h", "2016-04-27 - Freezer Paper around Free Meat.pdf", "metaconfig.h", "lz4.h", "2016-10-27 - Mirai DDoS Botnet- Source Code & Binary Analysis.pdf", "launchdaemons.txt", "unicode_constants.h", "csh.cshrc", "cpuid_internal.h", "OBEXBluetooth.h", "mounts.txt", "APConfigurationSystem.tbd", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2016-03-11 - PowerSniff Malware Used in Macro-based Attacks.pdf", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "2016-04-21 - When entropy meets Shannon.pdf", "apfs_boot_mount.tbd", "tcp.h", "2016-07-05 - New Backdoor Allows Full Access to Mac Systems, Bitdefender Warns.pdf", "2016-11-15 - ScanPOS, new POS malware being distributed by Kronos.pdf", "atomic.h", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2016-05-18 - Operation Groundbait- Espionage in Ukrainian war zones.pdf", "bind.html", "GCGamepad.h", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "GKLeaderboardScore.h", "2016-11-21 - PrincessLocker \u2013 ransomware with not so royal encryption.pdf", "2016-11-23 - InPage zero-day exploit used to attack financial institutions in Asia.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "Rocket Kitten.pdf", "WKNavigationAction.h", "WKScriptMessage.h", "oalMacOSX_OALExtensions.h", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "mounts.csv", "vecLibTypes.h", "GCDevicePhysicalInputStateDiff.h", "2016-06-29 - Apocalypse- Ransomware which targets companies through insecure RDP.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2016-03-31 - Stored XSS Vulnerabilites on Foscam.pdf", "Cmstar Downloader.pdf", "APT 28 (1).pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "relocated", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "auto_home", "ASCredentialIdentity.h", "ASPublicKeyCredential.h", "2016-02-08 - APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "OBEX.h", "2016-08-30 - Pythons and Unicorns and Hancitor\u2026Oh My! Decoding Binaries Through Emulation.pdf", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "disk_structure.txt", "2016-09-15 - MILE TEA- Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies.pdf", "BUILDING", "AuthenticationServices.h", "csh.login", "stdint.h", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "GCRacingWheelInput.h", "GCControllerAxisInput.h", "Duqu 2.0 Win32K Exploit.pdf", "group", "2016-12-15 - Goldeneye Ransomware \u2013 the Petya-Mischa combo rebranded.pdf", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "embedvar.h", "2016-10-17 - New-looking Sundown EK drops Smoke Loader, Kronos banker.pdf", "2016-03-01 - Taiwan Presidential Election- A Case Study on Thematic Targeting.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "WKNavigation.h", "2016-12-09 - Windows 10- protection, detection, and response against recent Depriz malware attacks.pdf", "reg_help.h", "2015-05-22 - The DGA of Ranbyus.pdf", "2016-09-23 - SECONDDATE in action.pdf", "uconfig.h", "2016-02-25 - KeyBase Threat Grows Despite Public Takedown- A Picture is Worth a Thousand Words.pdf", "GCMouseInput.h", "2016-09-30 - Hacked Steam accounts spreading Remote Access Trojan.pdf", "2016-12-06 - August in November- New Information Stealer Hits the Scene.pdf", "EXTERN.h", "tcp_private.h", "al.h", "2016-07-21 - Phishing Attacks Employ Old but Effective Password Stealer.pdf", "GCControllerTouchpad.h", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2016-05-05 - Sophisticated New Packer Identified in CryptXXX Ransomware Sample.pdf", "2016-11-14 - Doctor Web discovers a botnet that attacks Russian banks.pdf", "WKFoundation.h", "WKError.h", "2016-09-22 - Zeus Delivered by DELoader to Defraud Customers of Canadian Banks.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2016-01-25 - Hidden Tear Ransomware Developer Blackmailed by Malware Developers using his Code.pdf", "limits.h", "Indicators of Compormise Hellsing.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "IOBluetoothObjectPushUIController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "blog.pdf", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "WKContextMenuElementInfo.h", "ASPublicKeyCredentialClientData.h", "IOBluetoothPasskeyDisplay.h", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "dbivport.h", "GCColor.h", "GCKeyCodes.h", "2016-04-22 - New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists.pdf", "2016-08-28 - FEINTCLOUD.pdf", "2016-05-26 - The OilRig Campaign- Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "main.cf.default", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "GCDirectionPadElement.h", "in_pcb.h", "2016-01-22 - PlugX APT Malware.pdf", "WKURLSchemeTask.h", "2016-08-15 - Shakti Trojan- Document Thief.pdf", "Afghan Government Compromise - Browser Beware.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "WebKit.apinotes", "GCSwitchPositionInput.h", "2016-03-11 - Gaudox - HTTP Bot (1.1.0.1) - CPlusPlus ASM - Ring3 Rootkit - Watchdog - Antis.pdf", "xtab", "LDAP.tbd", "2016-01-28 - CenterPOS- An Evolving POS Threat.pdf", "2016-12-15 - Let It Ride- The Sofacy Group\u2019s DealersChoice Attacks Continue.pdf", "2016-05-17 - ATM infector.pdf", "Copy Kittens.pdf", "aliases", "libkern.h", "INUIEditVoiceShortcutViewController.h", "invlist_inline.h", "interfaceDetails.csv", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "overload.h", "2016-05-04 - Petya- the two-in-one trojan.pdf", "2016-08-23 - GozNym Banking Trojan Targeting German Banks.pdf", "2016-04-16 - Ever Present Persistence - Established Footholds Seen in the Wild.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "2016-12-20 - Alice- A Lightweight, Compact, No-Nonsense ATM Malware.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "WKWebView.h", "2016-11-30 - Shamoon- Back from the dead and destructive as ever.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "machine_cpuid.h", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "GameKit.h", "cpu.h", "2015-03-03 - C99Shell not dead.pdf", "com_err.h", "WKWebpagePreferences.h", "2016-06-08 - Spear Phishing Attacks- Why They are Successful and How to Stop Them.pdf", "zprofile", "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "pycore_condvar.h", "battery.csv", "ASCredentialIdentityStore.h", "2016-08-29 - German Speakers Targeted by SPAM Leading to Ozone RAT.pdf", "pio.h", "vm_compressor_algorithms.h", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "in_arp.h", "python3.pc", "GKLeaderboardViewController.h", "WKProcessPool.h", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "GCControllerInput.h", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "ptrauth.h", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "WKDataDetectorTypes.h", "2016-09-07 - The Missing Piece \u2013 Sophisticated OS X Backdoor Discovered.pdf", "ASCredentialServiceIdentifier.h", "2016-04-14 - Bedep has raised its game vs Bot Zombies.pdf", "IOUSBHostDevice.h", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2016-03-20 - Hidden Tear Project- Forbidden Fruit Is the Sweetest.pdf", "2016-09-02 - Necurs \u2013 hybrid spam botnet.pdf", "LocalAuthentication.tbd", "GCPhysicalInputElement.h", "Anthem hack all roads lead to China.pdf", "2016-07-07 - NetTraveler APT Targets Russian, European Interests.pdf", "2016-06-14 - New Sofacy Attacks Against US Government Agency.pdf", "2016-05-10 - Setting Sights On Retail- AbaddonPOS Now Targeting Specific POS Software.pdf", "perl_langinfo.h", "2016-03-31 - The evolution of Brazilian Malware.pdf", "OSBase.h", "IOUSBHostCIControllerStateMachine.h", "2016-10-24 - Evasive Malware Detects and Defeats Virtual Machine Analysis.pdf", "2016-05-26 - SWIFT attackers\u2019 malware linked to more financial attacks.pdf", "GCMicroGamepad.h", "alc.h", "2016-01-22 - The Impact of Dragonfly Malware on Industrial Control Systems.pdf", "vm_pageout.h", "2016-02-09 - Bedep Lurking in Angler's Shadows.pdf", "zconf.h", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "nostdio.h", "Attacks against Israeli & Palestinian interests.pdf", "MultipeerConnectivity.h", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "ASAccountAuthenticationModificationExtensionContext.h", "Babar or Bunny.pdf", "2016-07-30 - Luminosity RAT - Re-purposed.pdf", "ip_var.h", "Dynasty.pdf", "2016-10-11 - Odinaff- New Trojan used in high level financial attacks.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "postfix-files", "2016-07-26 - OTX Pulse on R980 ransomware.pdf", "ASCredentialProviderExtensionContext.h", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "igmp.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "2016-08-25 - Shakti Trojan - Technical Analysis.pdf", "Kerberos.h", "2016-05-09 - PseudoDarkLeech Angler EK from 185.118.66.154 sends Bedep-CryptXXX.pdf", "popen_spawn_win32.py", "GCEventViewController.h", "Attack on Ukraine Power Grid.pdf", "2015-02-27 - ScanBox Framework.pdf", "master.cf.proto", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "AOSKit.tbd", "GCControllerDirectionPad.h", "convenience.map", "icmp_var.h", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "Black Vine.pdf", "WebKit.tbd", "ntp_opendirectory.conf", "GKLeaderboardEntry.h", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2016-08-22 - BLATSTING FUNKSPIEL.pdf", "2016-01-22 - CVE-2015-4400 - Backdoorbot, Network Configuration Leak on a Connected Doorbell.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "Driver_xst.h", "2016-04-19 - Trojan.GodzillaLoader (alias Godzilla Loader).pdf", "2016-12-14 - Twin zero-day attacks- PROMETHIUM and NEODYMIUM target individuals in Europe.pdf", "2016-10-26 - Moonlight \u2013 Targeted attacks in the Middle East.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2016-12-01 - CNACOM - Open Source Exploitation via Strategic Web Compromise.pdf", "2016-04-19 - Your Package Has Been Successfully Encrypted- TeslaCrypt 4.1A and the Malware Attack Chain.pdf", "2016-11-15 - Kronos Banking Trojan Used to Deliver New Point-of-Sale Malware.pdf", "2016-12-09 - -Proof of Concept- CryptoWire Ransomware Spawns Lomix and UltraLocker Families.pdf", "sysctl.h", "crashes.csv", "KUNCUserNotifications.h", "2016-02-09 - Poseidon Group- a Targeted Attack Boutique specializing in global cyber-espionage.pdf", "2016-09-23 - Hancitor (AKA Chanitor) observed using multiple attack approaches.pdf", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "arm64e-apple-ios-macabi.swiftinterface", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "csh.logout", "GCDualShockGamepad.h", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "access", "pf.conf", "ASAuthorizationOpenIDRequest.h", "2016-03-14 - Digital Quartermaster Scenario Demonstrated in Attacks Against the Mongolian Government.pdf", "Emdivi.pdf", "IOPCIFamilyDefinitions.h", "2016-08-02 - Orcus \u2013 Birth of an unusual plugin builder RAT.pdf", "Apt 2015 (2).pdf", "2016-05-22 - Operation Ke3chang Resurfaces With New TidePool Malware.pdf", "GCDevicePhysicalInput.h", "2016-05-24 - New Wekby Attacks Use DNS Requests As Command and Control Mechanism.pdf", "header_checks", "WKWebViewConfiguration.h", "Asruex.pdf", "ASCredentialProviderViewController.h", "IOBluetooth.h", "2016-04-14 - Targeted Ransomware Activity.pdf", "2016-05-12 - LatentBot \u2013 modularny i silnie zaciemniony bot.pdf", "Babar.pdf", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "ip.h", "UNDRequest.defs", "2015-08-19 - Inside Neutrino botnet builder.pdf", "version.plist", "GKPeerPickerController.h", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2016-08-30 - OSX-Keydnap spreads via signed Transmission application.pdf", "2016-09-04 - BLATSTING Command-and-Control protocol.pdf", "WKNavigationDelegate.h", "ASAuthorization.h", "stddef.h", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "icmp6.h", "sel.h", "WKHTTPCookieStore.h", "WKPreviewActionItem.h", "2016-08-22 - VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick.pdf", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "av.h", "2016-01-12 - Trochilus RAT Evades Antivirus Detection, Used for Cyber-Espionage in South-East Asia.pdf", "GKAccessPoint.h", "bounce.cf.default", "gssapi_krb5.h", "ASPasswordCredential.h", "utf8.h", "GCKeyboard.h", "2016-09-06 - Buckeye cyberespionage group shifts gaze from US to Hong Kong.pdf", "vBasicOps.h", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "INTERN.h", "opnames.h", "copyio.h", "2016-12-09 - New Exo Android Trojan Sold on Hacking Forums, Dark Web.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "WKPreviewActionItemIdentifiers.h", "mg_vtable.h", "GCExtern.h", "2016-10-01 - Source Code for IoT Botnet \u2018Mirai\u2019 Released.pdf", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "2015-05-14 - The Naikon APT.pdf", "table.h", "notify.conf", "WKPDFConfiguration.h", "GKChallengesViewController.h", "vm_dyld_pager.h", "2016-09-29 - TeamXRat- Brazilian cybercrime meets ransomware.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "NSAttributedString.h", "2016-06-17 - ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks.pdf", "2016-09-27 - New Voldemort-Nagini Ransomware Virus Infection.pdf", "GCKeyboardInput.h", "pp_proto.h", "WKUIDelegate.h", "2016-03-03 - Attack on Zygote- a new twist in the evolution of mobile threats.pdf", "2016-08-08 - ProjectSauron- top level cyber-espionage platform covertly extracts encrypted government comms.pdf", "mail.rc", "uudmap.h", "2016-09-26 - Sofacy\u2019s \u2018Komplex\u2019 OS X Trojan.pdf", "2016-09-21 - Reversing GO binaries like a pro.pdf", "2016-12-27 - Pegasus internals- Technical Teardown of the Pegasus malware and Trident exploit chain.pdf", "NetTraveler.pdf", "GCTypes.h", "nfs.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "2015-06-24 - UnFIN4ished Business.pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "vecLib.h", "_endian.h", "xdr_subs.h", "capture_0.bundle.js", "ftpusers", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2016-03-04 - Tracing the Lineage of DarkSeoul.pdf", "2015-10-15 - Archivist.pdf", "GCPressedStateInput.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "python3-embed.pc", "io.h", "2016-03-23 - New self?protecting USB trojan able to avoid detection.pdf", "GCDevice.h", "Verification failure observed in automated verification handlers during sandbox replay.", "cpuid.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "perl_inc_macro.h", "2016-03-09 - Korean Energy and Transportation Targets Attacked by OnionDog APT.pdf", "2016-05-25 - CVE-2015-2545- overview of current threats.pdf", "rtadvd.conf", "Duke cloud Linux.pdf", "2016-09-27 - Threat Spotlight- GozNym.pdf", "2016-07-13 - Troldesh ransomware influenced by (the) Da Vinci code.pdf", "GameController.tbd", "2016-01-22 - New Attacks Linked to C0d0so0 Group.pdf", "regexp.h", "2016-08-18 - The Shadow Brokers.pdf", "smb.conf", "Info.plist", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "2016-11-08 - Analysis of iOSGuiInject Adware Library.pdf", "hv_macro.h", "2016-12-07 - August in November- New Information Stealer Hits the Scene.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "ASAuthorizationAppleIDButton.h", "GKVoiceChat.h", "2016-09-28 - Introducing Her Royal Highness the Princess Locker Ransomware.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Osreturn", "Lastname", "Firstname", "Osatomic", "Ver", "Internet" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd7c8b6a50e874aa6014c6", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:51.295000", "created": "2026-05-08T06:02:51.295000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8a581c71ee4bcd7a00", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:50.534000", "created": "2026-05-08T06:02:50.534000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8901f357b10d9f605a", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:49.354000", "created": "2026-05-08T06:02:49.354000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c878493ff5e9aaacf51", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:47.687000", "created": "2026-05-08T06:02:47.687000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c846a50e874aa6014c5", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:44.672000", "created": "2026-05-08T06:02:44.672000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c8330ebba9c3a9756b5", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:43.493000", "created": "2026-05-08T06:02:43.493000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c5a3c1d0e3dfa82dcc0", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:02.276000", "created": "2026-05-08T06:02:02.276000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c596fb7b0c2c3e7c26f", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:01.820000", "created": "2026-05-08T06:02:01.820000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69fd7c59c81d461876bc3313", "name": "test CREATED 1 YEAR AGO by testivk1 clone", "description": "", "modified": "2026-05-08T06:02:01.178000", "created": "2026-05-08T06:02:01.178000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e6f4dfcc3c6e3abf71e3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "datetime.now", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "datetime.now", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780184986.2764382 }