{
  "type": "Domain",
  "indicator": "daum.net",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/daum.net",
    "alexa": "http://www.alexa.com/siteinfo/daum.net",
    "indicator": "daum.net",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "alexa",
        "message": "Alexa rank: #118",
        "name": "Listed on Alexa"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain daum.net",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain daum.net",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 239987,
      "indicator": "daum.net",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 50,
      "pulses": [
        {
          "id": "69ca5d583057aaefed16789a",
          "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
          "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
          "modified": "2026-04-29T11:26:13.615000",
          "created": "2026-03-30T11:24:08.053000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "default",
            "sha256",
            "sha1",
            "data",
            "info",
            "accept",
            "win64",
            "damage",
            "openssl",
            "shutdown",
            "direct",
            "explorer",
            "title",
            "payload",
            "rdap",
            "ip version",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "whois server",
            "entity sg679",
            "handle",
            "stealc config",
            "cncs http"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 351,
            "URL": 392,
            "FileHash-MD5": 149,
            "FileHash-SHA1": 168,
            "FileHash-SHA256": 197,
            "email": 12,
            "hostname": 68,
            "CIDR": 4
          },
          "indicator_count": 1341,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "34 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "695089cbedad5c86f39b1363",
          "name": "Tracking Domains 03.03.26 (Updated Test)",
          "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
          "modified": "2026-04-05T06:35:43.679000",
          "created": "2025-12-28T01:37:15.993000",
          "tags": [
            "privacy badger",
            "sites general",
            "settings widget",
            "domains manage",
            "data privacy",
            "badger",
            "hide"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
            "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
            "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
            "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
            "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Healthcare",
            "Government",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 50404,
            "hostname": 10879,
            "URL": 715,
            "FileHash-MD5": 1
          },
          "indicator_count": 61999,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 132,
          "modified_text": "58 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b92a27c47d4e28927364",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:26.110000",
          "created": "2026-03-12T13:01:30.067000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 74,
          "modified_text": "81 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b9295603a6100edfa8c8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:25.387000",
          "created": "2026-03-12T13:01:29.284000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 70,
          "modified_text": "81 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927aa7f10e82639d204",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.872000",
          "created": "2026-03-12T13:01:27.872000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927c086397130c5d114",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.275000",
          "created": "2026-03-12T13:01:27.275000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b926871746ed8a1bc324",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:26.440000",
          "created": "2026-03-12T13:01:26.440000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b925e85c948d4dd608cc",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:25.852000",
          "created": "2026-03-12T13:01:25.852000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e974189d2c41f07ed8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:25.910000",
          "created": "2026-03-12T13:00:25.910000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e74d2b3effd55f88c3",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:23.173000",
          "created": "2026-03-12T13:00:23.173000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8dfbf8426a7a1d0146d",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:15.427000",
          "created": "2026-03-12T13:00:15.427000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d7123610591625b8fb",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:07.354000",
          "created": "2026-03-12T13:00:07.354000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d61e3f64a8f1f169b6",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:06.214000",
          "created": "2026-03-12T13:00:06.214000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d24eeb4200bdb1d702",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:02.096000",
          "created": "2026-03-12T13:00:02.096000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "81 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b76c9a490b69b6a085b3",
          "name": "Exodus/cellbrite clone by Q Vashti",
          "description": "",
          "modified": "2026-03-12T12:54:04.160000",
          "created": "2026-03-12T12:54:04.160000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6916e098df39114161354b23",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "82 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6952febb1dbcf05ee601f050",
          "name": "Pegasus Ongoing l Cellbrite | Exodus | Brian Sabey | HallRender | Tulach (1.29.24)",
          "description": "",
          "modified": "2025-12-29T22:20:43.238000",
          "created": "2025-12-29T22:20:43.238000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65b80a20bbcd0eb305a740ec",
          "export_count": 41199,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "154 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "687992eceac6f12e9cebd65f",
          "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
          "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
          "modified": "2025-12-28T19:04:27.449000",
          "created": "2025-07-18T00:18:50.968000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 375,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 7,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "privacynotacrime",
            "id": "349346",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 123,
          "modified_text": "155 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6916e098df39114161354b23",
          "name": "Exodus l Cellbrite \u2022 Pegasus | Brian Sabey | HallRender | Tulach ",
          "description": "",
          "modified": "2025-12-14T07:05:42.106000",
          "created": "2025-11-14T07:56:08.872000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4295,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3255,
            "domain": 2911,
            "hostname": 2894,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13986,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "170 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "691b61e16cea7624a6606a69",
          "name": "For Later",
          "description": "***",
          "modified": "2025-11-17T18:46:19.094000",
          "created": "2025-11-17T17:56:49.875000",
          "tags": [
            "wormhole",
            "want",
            "sign",
            "submit send",
            "copy",
            "share show",
            "report delete",
            "faq roadmap",
            "security legal",
            "twitter discord",
            "protected"
          ],
          "references": [
            "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
            "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 72127,
            "hostname": 16700,
            "URL": 50
          },
          "indicator_count": 88877,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 131,
          "modified_text": "196 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68be65e95645ef1a6c8a898d",
          "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products",
          "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.",
          "modified": "2025-10-08T04:04:41.943000",
          "created": "2025-09-08T05:13:13.781000",
          "tags": [
            "mtb oct",
            "trojandropper",
            "avast avg",
            "backdoor",
            "trojan",
            "ubuntu",
            "passive dns",
            "federation flag",
            "asn as49505",
            "dns resolutions",
            "domains top",
            "level",
            "unique tlds",
            "dynamicloader",
            "high",
            "medium",
            "port",
            "delete c",
            "windows",
            "displayname",
            "tofsee",
            "grum",
            "stream",
            "powershell",
            "write",
            "malware",
            "hostile",
            "misa",
            "ipv4 add",
            "urls",
            "files",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "found",
            "command",
            "defense evasion",
            "adversaries",
            "spawns",
            "united",
            "orc5",
            "flag",
            "rhur3d",
            "title",
            "click",
            "strings",
            "refresh",
            "aids",
            "dzan",
            "sumo",
            "miny",
            "judi",
            "pattern match",
            "mitre att",
            "show technique",
            "ck matrix",
            "ascii text",
            "show process",
            "hybrid",
            "general",
            "local",
            "path",
            "t1480 execution",
            "null",
            "span",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "domain secure",
            "windows nt",
            "ogoogle trust",
            "zerossl ecc",
            "site ca0x1ex17r",
            "win64",
            "unknown",
            "encrypt",
            "search",
            "entries",
            "destination",
            "push",
            "next",
            "apple",
            "moved",
            "gmt content",
            "type",
            "content length",
            "ipv4",
            "date",
            "handle",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "assigned pi",
            "status",
            "whois server",
            "entity ipripe",
            "apnic",
            "url add",
            "http",
            "hostname",
            "files domain",
            "files related",
            "related tags",
            "ip address",
            "related nids",
            "files location",
            "flag united",
            "unknown ns",
            "name servers",
            "creation date",
            "emails",
            "pulse pulses",
            "pulses none",
            "none google",
            "safe browsing",
            "external",
            "location united",
            "asn as714",
            "less whois",
            "registrar",
            "ios",
            "iphone",
            "ipad",
            "australia",
            "dead host"
          ],
          "references": [
            "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
            "https://176.113.115.136/ohhiiiii/",
            "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
            "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
            "palantir-staging.staging.candidate.app.paulsjob.ai",
            "pornhub.com\t \u2022 www.pornhub.com",
            "appleaustralia.com",
            "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
            "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Muldrop",
              "display_name": "Muldrop",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "APNIC",
              "display_name": "APNIC",
              "target": null
            },
            {
              "id": "Win.Packer.pkr_ce1a-9980177-0",
              "display_name": "Win.Packer.pkr_ce1a-9980177-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [
            "Telecommunications",
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 1273,
            "FileHash-MD5": 347,
            "domain": 606,
            "hostname": 778,
            "FileHash-SHA256": 2724,
            "FileHash-SHA1": 322,
            "email": 9,
            "SSLCertFingerprint": 14,
            "CIDR": 3
          },
          "indicator_count": 6076,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "237 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68493fbb0f19938d6458cb89",
          "name": "Phishing [100625]",
          "description": "Phishing domains and IP addresses that have been used to send malicious emails.",
          "modified": "2025-07-11T08:01:07.780000",
          "created": "2025-06-11T08:35:06.321000",
          "tags": [
            "Phishing",
            "Malicious Domain",
            "Malicious IP"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "FS13JKMK",
            "id": "312129",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 48,
            "hostname": 34,
            "email": 7,
            "URL": 96,
            "FileHash-SHA256": 20
          },
          "indicator_count": 205,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 71,
          "modified_text": "326 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6854082f2edb40c1c80b0831",
          "name": "JSDdelivr blocklist",
          "description": "",
          "modified": "2025-06-19T14:28:09.610000",
          "created": "2025-06-19T12:53:03.734000",
          "tags": [],
          "references": [
            "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 18,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 5675,
            "hostname": 171
          },
          "indicator_count": 5846,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 185,
          "modified_text": "347 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "669e5aa7341d5520b466d295",
          "name": "trojan stealer spam bot",
          "description": "",
          "modified": "2025-06-04T13:32:48.907000",
          "created": "2024-07-22T13:12:07.175000",
          "tags": [],
          "references": [
            "https://www.virustotal.com/graph/g7a78c4f156e94fbbb3138d9e6b65fbdb093820b95fef440b967cc189faa5dc58"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Trojan:Win32/Kryptik",
              "display_name": "Trojan:Win32/Kryptik",
              "target": "/malware/Trojan:Win32/Kryptik"
            },
            {
              "id": "Virus:Win32/Grum",
              "display_name": "Virus:Win32/Grum",
              "target": "/malware/Virus:Win32/Grum"
            },
            {
              "id": "GandCrab",
              "display_name": "GandCrab",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 20,
            "FileHash-SHA1": 20,
            "FileHash-SHA256": 63,
            "URL": 3,
            "domain": 45,
            "hostname": 132
          },
          "indicator_count": 283,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 186,
          "modified_text": "362 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f235b9a7a94a6a61acd651",
          "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan",
          "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.",
          "modified": "2025-03-07T08:38:08.584000",
          "created": "2024-09-24T03:44:57.902000",
          "tags": [
            "geoip",
            "public url",
            "as16509",
            "amazon02",
            "as20940",
            "akamaiasn1",
            "as8075",
            "as15169",
            "google",
            "akamaias",
            "facebook",
            "telecom",
            "twitter",
            "media",
            "win64",
            "level3",
            "mini",
            "ukraine",
            "proton",
            "ghost",
            "win32",
            "cuba",
            "mexico",
            "indonesia",
            "seznam",
            "as3359",
            "as852"
          ],
          "references": [
            "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1",
            "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c",
            "https://n0paste.eu/UH6n5pD/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Anguilla",
            "Poland",
            "Aruba",
            "Australia",
            "Barbados",
            "Costa Rica",
            "Guatemala",
            "Philippines",
            "Panama",
            "Sint Maarten (Dutch part)",
            "Saint Martin (French part)",
            "Cayman Islands",
            "Cura\u00e7ao",
            "Mexico",
            "Saint Vincent and the Grenadines",
            "Saint Kitts and Nevis",
            "Tanzania, United Republic of",
            "Netherlands",
            "Ukraine",
            "Trinidad and Tobago",
            "Japan",
            "Bahamas",
            "United Kingdom of Great Britain and Northern Ireland",
            "Georgia"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Technology",
            "Government",
            "Telecommunications",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1,
            "CIDR": 1186,
            "CVE": 4,
            "FileHash-MD5": 29,
            "FileHash-SHA1": 3,
            "URL": 25493,
            "domain": 5396,
            "email": 10,
            "hostname": 10770
          },
          "indicator_count": 42892,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "452 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66b0fa3624bf0384e427f2e7",
          "name": "Tracking Domains 4.2 - 08.19.24",
          "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
          "modified": "2024-09-04T15:01:01.432000",
          "created": "2024-08-05T16:13:42.563000",
          "tags": [],
          "references": [
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
            "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
            "https://viz.greynoise.io/query/AS4611",
            "https://urlscan.io/asn/AS4611",
            "https://urlscan.io/search/#asn:%22AS4611%22",
            "https://urlscan.io/asn/AS45090",
            "https://urlscan.io/search/#asn%3A%22AS45090%22",
            "https://viz.greynoise.io/query/AS45090",
            "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
            "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
            "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
            "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 6180,
            "FileHash-MD5": 1,
            "domain": 24921,
            "URL": 10854
          },
          "indicator_count": 41956,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 140,
          "modified_text": "635 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b1f33258a8e26033b17",
          "name": "Tracking Domains - Part 4.1",
          "description": "More Tracking Domains",
          "modified": "2024-08-30T13:02:28.335000",
          "created": "2024-04-22T17:15:11.398000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
            "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 94496,
            "FileHash-MD5": 63,
            "domain": 112327,
            "URL": 166918,
            "FileHash-SHA1": 33,
            "FileHash-SHA256": 103,
            "CIDR": 216
          },
          "indicator_count": 374156,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "640 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b204ecfba63974dc1d8",
          "name": "Tracking Domains - Part 4",
          "description": "More Tracking Domains",
          "modified": "2024-05-22T17:04:45.215000",
          "created": "2024-04-22T17:15:12.353000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 792,
            "FileHash-MD5": 1,
            "domain": 5803,
            "URL": 2
          },
          "indicator_count": 6598,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 136,
          "modified_text": "740 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b7119615db47ea27706a86",
          "name": "Esurance Remote Attacks| Emotet | Lolkek  | Part I",
          "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .",
          "modified": "2024-04-12T23:03:13.367000",
          "created": "2024-01-29T02:46:46.076000",
          "tags": [
            "ssl certificate",
            "xamzexpires600",
            "whois record",
            "url collection",
            "collections",
            "historical ssl",
            "referrer",
            "contacted",
            "resolutions",
            "web gateway",
            "emotet",
            "urls http",
            "whois whois",
            "domains",
            "lolkek",
            "core",
            "caddywiper",
            "awful",
            "urls url",
            "cymulate",
            "malware",
            "com laude",
            "ltd dba",
            "first",
            "utc submissions",
            "submitters",
            "cloudflarenet",
            "internet domain",
            "service bs",
            "corp",
            "dynadot",
            "twitter",
            "optimizer",
            "amazonaes",
            "summary iocs",
            "graph community",
            "origin1",
            "ver33",
            "dtamlb",
            "smlb",
            "csc corporate",
            "gandi sas",
            "namecheap inc",
            "google",
            "amazon02",
            "apple",
            "remote attacks"
          ],
          "references": [
            "https://www.esurance.com/",
            "https://www.malwarebytes.com/emotet"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Telecom",
            "Civil Society",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 15,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 9102,
            "CVE": 5,
            "FileHash-MD5": 68,
            "FileHash-SHA1": 67,
            "FileHash-SHA256": 2209,
            "domain": 1427,
            "hostname": 4334
          },
          "indicator_count": 17212,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "780 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a39f005c7f0a1c1eb33125",
          "name": "Formbook",
          "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors  via social media accounts Twitter & Facebook.",
          "modified": "2024-03-21T10:00:24.070000",
          "created": "2024-01-14T08:44:48.297000",
          "tags": [
            "ssl certificate",
            "contacted",
            "execution",
            "ah6itbtgl",
            "whois record",
            "historical ssl",
            "referrer",
            "subdomains",
            "resolutions",
            "formbook",
            "threat roundup",
            "malware",
            "metro",
            "social engineering",
            "jansky",
            "script urls",
            "a domains",
            "united",
            "search",
            "date",
            "script domains",
            "creation date",
            "record value",
            "showing",
            "unknown",
            "meta",
            "body",
            "encrypt",
            "as63949 linode",
            "as41357",
            "united kingdom",
            "scan endpoints",
            "all octoseek",
            "domain",
            "pulse submit",
            "url analysis",
            "server",
            "registrar abuse",
            "iana id",
            "contact phone",
            "domain status",
            "registrar url",
            "registrar whois",
            "email",
            "registry domain",
            "win32 exe",
            "javascript",
            "eqsray",
            "zip blaze",
            "ms excel",
            "detections type",
            "name",
            "text",
            "csv order",
            "files",
            "microsoft",
            "dns replication",
            "bt6lcuigydc9yc",
            "jxaavf4jnzza0",
            "submission",
            "community score",
            "no security",
            "graph api",
            "status",
            "content type",
            "xcitium verdict",
            "cloud marketing",
            "history first",
            "thebrotherssabey",
            "passive dns",
            "gmt content",
            "plesklin",
            "ipv4",
            "pulse pulses",
            "urls",
            "vbs",
            "data center",
            "reverse dns",
            "first",
            "utc submissions",
            "submitters",
            "bbonline uk",
            "namecheap inc",
            "summary iocs",
            "graph community",
            "ionos se",
            "keysystems gmbh",
            "record type",
            "ttl value",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus cnr3",
            "olet",
            "subject public",
            "key info",
            "key algorithm",
            "ec oid",
            "sabey",
            "all search",
            "otx octoseek",
            "url http",
            "http",
            "hostname",
            "files domain",
            "msie",
            "chrome",
            "expiration date",
            "next",
            "whois lookup",
            "dnssec",
            "domain name",
            "abuse contact",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "cname",
            "as44273 host",
            "ip address"
          ],
          "references": [
            "appleremote.net",
            "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111",
            "FormBook",
            "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc",
            "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020",
            "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1708,
            "hostname": 1920,
            "domain": 2221,
            "URL": 4822,
            "FileHash-MD5": 100,
            "FileHash-SHA1": 119,
            "email": 2,
            "CIDR": 1
          },
          "indicator_count": 10893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "803 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65caca061fbb7674de86ec7b",
          "name": "Invicta Stealer",
          "description": "Invicta Stealer is equipped to steal data from most locations of a system which makes it a dangerous threat.\nLink found in https://house.mo.com",
          "modified": "2024-03-14T01:01:47.115000",
          "created": "2024-02-13T01:46:46.969000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "historical ssl",
            "resolutions",
            "communicating",
            "whois whois",
            "subdomains",
            "referrer",
            "problems",
            "core",
            "startpage",
            "june",
            "passive dns",
            "urls",
            "domain",
            "otx telemetry",
            "body",
            "gmt content",
            "x adblock",
            "scan endpoints",
            "all octoseek",
            "hostname",
            "date",
            "encrypt",
            "threat roundup",
            "october",
            "november",
            "march",
            "february",
            "apple ios",
            "april",
            "tsara brashears",
            "copy",
            "hacktool",
            "phishing",
            "metro",
            "crypto",
            "installer",
            "awful",
            "united",
            "unknown",
            "germany unknown",
            "search",
            "servers",
            "registrar",
            "name servers",
            "status",
            "next",
            "moved",
            "address",
            "creation date",
            "showing",
            "ipv4",
            "pulse submit",
            "url analysis",
            "accept",
            "aaaa",
            "record type",
            "ttl value",
            "html document",
            "ascii text",
            "anchor hrefs",
            "hrefs",
            "anchor",
            "anchor href",
            "threat",
            "paste",
            "iocs",
            "analyze",
            "hostnames",
            "url https",
            "sample",
            "server",
            "code",
            "registry domain",
            "dnssec",
            "registrar url",
            "registrar whois",
            "iana id",
            "registrar abuse",
            "tech email",
            "fake update",
            "utilizes new",
            "idat loader",
            "stealc",
            "urls http",
            "isadultno",
            "adposbottom",
            "adformatplain",
            "adnetworks",
            "quasar rat",
            "ip detections",
            "country",
            "cellbrite",
            "execution",
            "pegasus",
            "malware",
            "agent tesla",
            "attack",
            "ukraine",
            "silent",
            "invicta stealer",
            "redline stealer",
            "orcus rat",
            "files",
            "germany asn",
            "as196763",
            "a domains",
            "redacted for",
            "record value",
            "for privacy",
            "emails",
            "name",
            "contacted urls",
            "bundled",
            "de indicators",
            "domains",
            "hashes",
            "gmbh version",
            "status page",
            "service privacy",
            "legal",
            "impressum",
            "pulse pulses",
            "location united",
            "open",
            "cookie",
            "customer",
            "0 report",
            "sea alt",
            "certificate",
            "#targeting",
            "#discordwallets",
            "house.mo.gov"
          ],
          "references": [
            "https://www.facebooksunglassshop.com/",
            "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
            "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
            "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
            "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
            "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
            "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
            "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
            "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
            "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
            "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
            "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
            "wallpapers-nature.com",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
            "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
            "edgedl.me.gvt1.com",
            "Link found in https://house.mo.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Invicta Stealer",
              "display_name": "Invicta Stealer",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "RedLine Stealer",
              "display_name": "RedLine Stealer",
              "target": null
            },
            {
              "id": "Orcus RAT",
              "display_name": "Orcus RAT",
              "target": null
            },
            {
              "id": "Silent",
              "display_name": "Silent",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Government",
            "Civil Society",
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 65,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 153,
            "FileHash-SHA1": 145,
            "FileHash-SHA256": 3848,
            "CVE": 3,
            "URL": 8291,
            "domain": 2541,
            "hostname": 3034,
            "email": 13
          },
          "indicator_count": 18028,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "810 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64ac688725adf28284e2efe9",
          "name": "\"No Problems\": Investigation of Distribution Vectors and Threat Network Infrastructure",
          "description": "Investigation of Distribution Vectors and Threat Network Infrastructure\n\nAn analysis of Malware Distribution and Threats stemming from an Internal Breach at the University of Alberta. Retrospective & 'In-Progress' tracking, identification, and characterization among affected individuals/organizations, services, and platforms.\n\nJust your average student looking for a solution to help identify or 'link together' some on-going issue(s) with a few things(? - [insert noun] ) and/or also fixing things & 'learning-on-the-fly' - which all definitely 'have everything to do with my education and skillset' [insert bitterness & sarcasm].\n\nApparently meeting the academic standards for implementing and enforcing a 'secure environment' and protecting students relies on: 1) The innovative approach of a 'remote Google-Meet teardown' of everything but your devices, data, or software issues and 2) The 'Holistic Model' of \"we don't do 'in-person' technical support\" because \"we are un-hackable\".",
          "modified": "2024-03-11T07:12:06.930000",
          "created": "2023-07-10T20:22:31.492000",
          "tags": [],
          "references": [
            "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
            "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
            "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
            "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
            "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Netherlands",
            "Mexico",
            "United States of America",
            "Aruba",
            "Panama",
            "Canada",
            "Anguilla"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 75,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 467,
            "domain": 767,
            "hostname": 402,
            "URL": 142,
            "CVE": 1,
            "email": 1
          },
          "indicator_count": 1929,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 134,
          "modified_text": "813 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65c5e50dda752af9eab50933",
          "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork",
          "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.",
          "modified": "2024-03-10T08:03:07.690000",
          "created": "2024-02-09T08:40:45.976000",
          "tags": [
            "malware",
            "pegasus",
            "cellbrite",
            "targets sa",
            "survivor",
            "referrer",
            "contacted urls",
            "contacted",
            "whois record",
            "hr rtd",
            "execution",
            "ssl certificate",
            "communicating",
            "skynet",
            "malicious",
            "csc corporate",
            "domains",
            "code",
            "t services",
            "date",
            "saint louis",
            "server",
            "registrar abuse",
            "whois lookups",
            "tech email",
            "threat roundup",
            "july",
            "march",
            "june",
            "files",
            "august",
            "phishing",
            "service",
            "amadey",
            "blacknet rat",
            "roundup",
            "magecart",
            "powershell",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "gmt vary",
            "gmt connection",
            "link",
            "studio",
            "side",
            "studios",
            "downtown denver",
            "colorado",
            "studios og",
            "html info",
            "title denver",
            "studios meta",
            "tags og",
            "hallrender",
            "mark brian sabey",
            "tulach",
            "passive dns",
            "urls",
            "scan endpoints",
            "all octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "domain",
            "files ip",
            "united",
            "as36646 oath",
            "unknown",
            "body doctype",
            "yahoo title",
            "x ua",
            "ieedge chrome1",
            "possible",
            "as19137 epsilon",
            "ipv4",
            "pulse pulses",
            "body",
            "headers nel",
            "contentencoding",
            "connection",
            "access control",
            "search",
            "address",
            "domain robot",
            "record value",
            "next",
            "parking crew",
            "tracking",
            "tsara brashears",
            "targeting",
            "as20940",
            "aaaa",
            "as714 apple",
            "as16625 akamai",
            "win32mydoom feb",
            "name servers",
            "as6185 apple",
            "creation date",
            "trojan",
            "virtool",
            "worm",
            "servers",
            "expiration date",
            "moved",
            "certificate",
            "showing",
            "entries"
          ],
          "references": [
            "adsl-074-168-130-217.sip.pns.bellsouth.net",
            "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
            "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm",
            "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]",
            "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios",
            "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21",
            "https://otx.alienvault.com/indicator/ip/74.6.231.21",
            "nr-data.net [Apple Private Data Collection]",
            "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]",
            "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]"
          ],
          "public": 1,
          "adversary": "NSO GROUP",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "AMADEY",
              "display_name": "AMADEY",
              "target": null
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "BlackNET RAT",
              "display_name": "BlackNET RAT",
              "target": null
            },
            {
              "id": "Possible",
              "display_name": "Possible",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 27,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3263,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 125,
            "FileHash-SHA256": 2596,
            "domain": 1168,
            "hostname": 1877,
            "CVE": 2,
            "email": 6
          },
          "indicator_count": 9170,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "814 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65c4b7b44b63ea6ea0c503d8",
          "name": "Sabey targeting | Gains access to premier Denver Recording Studio",
          "description": "Intellectual property accessed and distributed. \nSabey and company have access, storage and at will control. Ransomware. Active threat. Likelihood of Pegasus abuse.. Critical alert. Reckless predatory type with motives, tools, knowledge, and colleagues continue cyberstalking and in person contact with SA survivor. Carelessly attacking systems of business and facilities target likely to use, This behavior puts others at risk.",
          "modified": "2024-03-09T10:04:19.572000",
          "created": "2024-02-08T11:15:00.329000",
          "tags": [
            "malware",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "report spam",
            "author",
            "cyber espionage",
            "studio created",
            "minutes ago",
            "white goldmax",
            "sibot",
            "goldfinder",
            "python",
            "indicator role",
            "title added",
            "active related",
            "pulses url",
            "entries",
            "url http",
            "pulses cve",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "analyze",
            "hostnames",
            "urls http",
            "sample",
            "urls https",
            "filehashsha1",
            "filehashmd5",
            "ipv4",
            "types of",
            "united kingdom",
            "united",
            "india",
            "china",
            "search",
            "pega type",
            "united states",
            "url https",
            "added active",
            "related pulses",
            "backdoor type",
            "discovery",
            "command",
            "all octoseek",
            "formbook",
            "goldmax",
            "ransomware",
            "njrat",
            "hacktool",
            "maui ransomware",
            "worm",
            "next",
            "type indicator",
            "role title",
            "go",
            "sabey",
            "tulach",
            "targeting tsara brashears",
            "utah",
            "whois record",
            "contacted",
            "ssl certificate",
            "referrer",
            "whois whois",
            "resolutions",
            "collections",
            "bundled",
            "execution",
            "lokibot",
            "tracer tool",
            "c2",
            "command and control",
            "sabey",
            "targeting",
            "hacking apple"
          ],
          "references": [
            "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
            "https://sabeydatacenters.com/",
            "sabeydatacenters.com",
            "4jslg.sabeydatacenters.com",
            "https://sabeydatacenters.com/",
            "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
            "https://tulach.cc/ |   [phishing | malware engineering]",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
            "nr-data.net  [Apple Private Data Collection]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Sibot",
              "display_name": "Sibot",
              "target": null
            },
            {
              "id": "GoldFinder",
              "display_name": "GoldFinder",
              "target": null
            },
            {
              "id": "Go",
              "display_name": "Go",
              "target": null
            },
            {
              "id": "NjRAT",
              "display_name": "NjRAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Maui Ransomware",
              "display_name": "Maui Ransomware",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1043",
              "name": "Commonly Used Port",
              "display_name": "T1043 - Commonly Used Port"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1215",
              "name": "Kernel Modules and Extensions",
              "display_name": "T1215 - Kernel Modules and Extensions"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1491",
              "name": "Defacement",
              "display_name": "T1491 - Defacement"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Entertainment",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 422,
            "domain": 240,
            "hostname": 495,
            "CVE": 1,
            "FileHash-MD5": 75,
            "FileHash-SHA1": 73,
            "FileHash-SHA256": 843,
            "email": 2
          },
          "indicator_count": 2151,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "815 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65de941acedcdd661f0593b6",
          "name": "Esurance Remote Attacks (Cloned. Who modifies reports? This happens to me)",
          "description": "",
          "modified": "2024-02-28T02:02:02.807000",
          "created": "2024-02-28T02:02:02.807000",
          "tags": [
            "ssl certificate",
            "xamzexpires600",
            "whois record",
            "url collection",
            "collections",
            "historical ssl",
            "referrer",
            "contacted",
            "resolutions",
            "web gateway",
            "emotet",
            "urls http",
            "whois whois",
            "domains",
            "lolkek",
            "core",
            "caddywiper",
            "awful",
            "urls url",
            "cymulate",
            "malware",
            "com laude",
            "ltd dba",
            "first",
            "utc submissions",
            "submitters",
            "cloudflarenet",
            "internet domain",
            "service bs",
            "corp",
            "dynadot",
            "twitter",
            "optimizer",
            "amazonaes",
            "summary iocs",
            "graph community",
            "origin1",
            "ver33",
            "dtamlb",
            "smlb",
            "csc corporate",
            "gandi sas",
            "namecheap inc",
            "google",
            "amazon02",
            "apple",
            "remote attacks"
          ],
          "references": [
            "https://www.esurance.com/",
            "https://www.malwarebytes.com/emotet"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Telecom",
            "Civil Society",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": "65b711a6f49f057c311f2642",
          "export_count": 21,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 8575,
            "CVE": 4,
            "FileHash-MD5": 47,
            "FileHash-SHA1": 46,
            "FileHash-SHA256": 1951,
            "domain": 1394,
            "hostname": 4095
          },
          "indicator_count": 16112,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "825 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b80763e9d9e18cf87d985b",
          "name": "Esurance Remote Attacks| Emotet | Lolkek | Part I",
          "description": "",
          "modified": "2024-02-28T02:01:51.407000",
          "created": "2024-01-29T20:15:31.163000",
          "tags": [
            "ssl certificate",
            "xamzexpires600",
            "whois record",
            "url collection",
            "collections",
            "historical ssl",
            "referrer",
            "contacted",
            "resolutions",
            "web gateway",
            "emotet",
            "urls http",
            "whois whois",
            "domains",
            "lolkek",
            "core",
            "caddywiper",
            "awful",
            "urls url",
            "cymulate",
            "malware",
            "com laude",
            "ltd dba",
            "first",
            "utc submissions",
            "submitters",
            "cloudflarenet",
            "internet domain",
            "service bs",
            "corp",
            "dynadot",
            "twitter",
            "optimizer",
            "amazonaes",
            "summary iocs",
            "graph community",
            "origin1",
            "ver33",
            "dtamlb",
            "smlb",
            "csc corporate",
            "gandi sas",
            "namecheap inc",
            "google",
            "amazon02",
            "apple",
            "remote attacks"
          ],
          "references": [
            "https://www.esurance.com/",
            "https://www.malwarebytes.com/emotet"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Telecom",
            "Civil Society",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": "65b711a6f49f057c311f2642",
          "export_count": 7,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 8575,
            "CVE": 4,
            "FileHash-MD5": 47,
            "FileHash-SHA1": 46,
            "FileHash-SHA256": 1951,
            "domain": 1394,
            "hostname": 4095
          },
          "indicator_count": 16112,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 229,
          "modified_text": "825 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b711a6f49f057c311f2642",
          "name": "Esurance Remote Attacks| Emotet | Lolkek  | Part I",
          "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .",
          "modified": "2024-02-28T02:01:51.407000",
          "created": "2024-01-29T02:47:02.117000",
          "tags": [
            "ssl certificate",
            "xamzexpires600",
            "whois record",
            "url collection",
            "collections",
            "historical ssl",
            "referrer",
            "contacted",
            "resolutions",
            "web gateway",
            "emotet",
            "urls http",
            "whois whois",
            "domains",
            "lolkek",
            "core",
            "caddywiper",
            "awful",
            "urls url",
            "cymulate",
            "malware",
            "com laude",
            "ltd dba",
            "first",
            "utc submissions",
            "submitters",
            "cloudflarenet",
            "internet domain",
            "service bs",
            "corp",
            "dynadot",
            "twitter",
            "optimizer",
            "amazonaes",
            "summary iocs",
            "graph community",
            "origin1",
            "ver33",
            "dtamlb",
            "smlb",
            "csc corporate",
            "gandi sas",
            "namecheap inc",
            "google",
            "amazon02",
            "apple",
            "remote attacks"
          ],
          "references": [
            "https://www.esurance.com/",
            "https://www.malwarebytes.com/emotet"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Telecom",
            "Civil Society",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 8575,
            "CVE": 4,
            "FileHash-MD5": 47,
            "FileHash-SHA1": 46,
            "FileHash-SHA256": 1951,
            "domain": 1394,
            "hostname": 4095
          },
          "indicator_count": 16112,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "825 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b7119e9272b1426729e1ed",
          "name": "Esurance Remote Attacks| Emotet | Lolkek  | Part I",
          "description": "Emotet is a kind of malware originally designed as a banking Trojan aimed at stealing financial data, but it's evolved to become a major threat to users everywhere.\n\nLater versions evolved to use macro-enabled documents to retrieve the virus payload from command and control. They have been advised .",
          "modified": "2024-02-28T02:01:51.407000",
          "created": "2024-01-29T02:46:54.594000",
          "tags": [
            "ssl certificate",
            "xamzexpires600",
            "whois record",
            "url collection",
            "collections",
            "historical ssl",
            "referrer",
            "contacted",
            "resolutions",
            "web gateway",
            "emotet",
            "urls http",
            "whois whois",
            "domains",
            "lolkek",
            "core",
            "caddywiper",
            "awful",
            "urls url",
            "cymulate",
            "malware",
            "com laude",
            "ltd dba",
            "first",
            "utc submissions",
            "submitters",
            "cloudflarenet",
            "internet domain",
            "service bs",
            "corp",
            "dynadot",
            "twitter",
            "optimizer",
            "amazonaes",
            "summary iocs",
            "graph community",
            "origin1",
            "ver33",
            "dtamlb",
            "smlb",
            "csc corporate",
            "gandi sas",
            "namecheap inc",
            "google",
            "amazon02",
            "apple",
            "remote attacks"
          ],
          "references": [
            "https://www.esurance.com/",
            "https://www.malwarebytes.com/emotet"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [
            "Telecom",
            "Civil Society",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 8,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 8575,
            "CVE": 4,
            "FileHash-MD5": 47,
            "FileHash-SHA1": 46,
            "FileHash-SHA256": 1951,
            "domain": 1394,
            "hostname": 4095
          },
          "indicator_count": 16112,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 223,
          "modified_text": "825 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b8083118e127157ff46d76",
          "name": "AndroidOverlayMalware: Enterprise.Cellebrite.com | Targets SA Victim ",
          "description": "",
          "modified": "2024-02-27T04:01:50.703000",
          "created": "2024-01-29T20:18:57.284000",
          "tags": [
            "ssl certificate",
            "whois record",
            "pegasus",
            "cellbrite",
            "sa victim",
            "assaulter",
            "execution",
            "targets sa",
            "survivor",
            "privilege https",
            "contacted",
            "resolutions",
            "malware",
            "core",
            "hacktool",
            "skynet",
            "dangerous",
            "cyber threat",
            "physical attacks",
            "cyber stalking",
            "malvertizing",
            "android overlay",
            "malicious",
            "spyware",
            "tracking",
            "all octoseek",
            "threat"
          ],
          "references": [
            "enterprise.cellebrite.com",
            "osint-j2.cellebrite.com",
            "nsopit-ibgmc.acs-inc.com",
            "https://cellebrite.com/en/federal-government/",
            "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en",
            "http://init-p01st.push.apple.com/bag [Apple Tracking]",
            "http://www.apple.com/certificateauthority/AppleAAI2CA.cer",
            "http://www.apple.com/certificateauthority/AppleAAICAG3.cer"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "AndroidOverlayMalware - MOB-S0012",
              "display_name": "AndroidOverlayMalware - MOB-S0012",
              "target": null
            },
            {
              "id": "Ransom:Win32/Cryptor",
              "display_name": "Ransom:Win32/Cryptor",
              "target": "/malware/Ransom:Win32/Cryptor"
            }
          ],
          "attack_ids": [
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1029",
              "name": "Scheduled Transfer",
              "display_name": "T1029 - Scheduled Transfer"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [
            "Civil Society",
            "Healthcare",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "65b5da65f8fa8cedd9d32395",
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 89,
            "FileHash-SHA1": 86,
            "FileHash-SHA256": 385,
            "domain": 92,
            "hostname": 324,
            "URL": 93
          },
          "indicator_count": 1069,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 227,
          "modified_text": "826 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b5da65f8fa8cedd9d32395",
          "name": "AndroidOverlayMalware: Enterprise.Cellebrite.com | Targets SA Victim",
          "description": "Software Company\nCellebrite\n\nCellebrite Enterprise Solutions\nHow Cellebrite's Enterprise Solutions Solve Your Challenges: \u00b7 Industry-leading remote collection capabilities for mobile devices, computers, etc. \nCellebrite DI Ltd. is an Israeli digital intelligence company that provides tools for federal, state, and local law enforcement as well as enterprise companies and service providers to collect, review, analyze and manage digital data.",
          "modified": "2024-02-27T04:01:50.703000",
          "created": "2024-01-28T04:39:01.670000",
          "tags": [
            "ssl certificate",
            "whois record",
            "pegasus",
            "cellbrite",
            "sa victim",
            "assaulter",
            "execution",
            "targets sa",
            "survivor",
            "privilege https",
            "contacted",
            "resolutions",
            "malware",
            "core",
            "hacktool",
            "skynet",
            "dangerous",
            "cyber threat",
            "physical attacks",
            "cyber stalking",
            "malvertizing",
            "android overlay",
            "malicious",
            "spyware",
            "tracking",
            "all octoseek",
            "threat"
          ],
          "references": [
            "enterprise.cellebrite.com",
            "osint-j2.cellebrite.com",
            "nsopit-ibgmc.acs-inc.com",
            "https://cellebrite.com/en/federal-government/",
            "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en",
            "http://init-p01st.push.apple.com/bag [Apple Tracking]",
            "http://www.apple.com/certificateauthority/AppleAAI2CA.cer",
            "http://www.apple.com/certificateauthority/AppleAAICAG3.cer"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "AndroidOverlayMalware - MOB-S0012",
              "display_name": "AndroidOverlayMalware - MOB-S0012",
              "target": null
            },
            {
              "id": "Ransom:Win32/Cryptor",
              "display_name": "Ransom:Win32/Cryptor",
              "target": "/malware/Ransom:Win32/Cryptor"
            }
          ],
          "attack_ids": [
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1029",
              "name": "Scheduled Transfer",
              "display_name": "T1029 - Scheduled Transfer"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [
            "Civil Society",
            "Healthcare",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 89,
            "FileHash-SHA1": 86,
            "FileHash-SHA256": 385,
            "domain": 92,
            "hostname": 324,
            "URL": 93
          },
          "indicator_count": 1069,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 220,
          "modified_text": "826 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b80a20bbcd0eb305a740ec",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-29T20:27:12.899000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a76c2901b34c79a681596d",
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "837 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a77c6a22a236495c4548d6",
          "name": "PEGASUS | Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "I'm unclear if the legitimatecy of use of Cellbrite considering Brashears was the attacked. Brashears has spoken with every authority on her own terms. Law enforcement 'you're not that important. You're not a suspect .' FBI -' Brashears victim of Identity theft case that lasted months. Alleged false reports removed.'  PI's - 'someone is abusing privilege' Was a SA advocate Non Profit. Awareness Saves & social media deleted by hackers",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T07:06:18.453000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "remote",
            "malvertizing",
            "spying",
            "cyber stalking"
          ],
          "references": [
            "https://tulach.cc/",
            "go.sabey.com",
            "sabey.com",
            "cellebrite.com",
            "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "remote.aciscomputers.com",
            "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
            "114.114.114.114 [Tulach]",
            "nr-data.net [Apple Private Data Collection]",
            "defenselawyernj.com",
            "attorney-marketing-specialists.com ?",
            "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
            "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
            "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
            "https://t.me/hermitspyware/24",
            "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
            "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
            "http://watchhers.net/index.php [remote attackers | malware spreader]",
            "api-stage.pornhub.com",
            "newbrazzers.com [y8.com]",
            "www.videolan.org [info solutions]",
            "www2.blackbagtech.com [hidden users included]",
            "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
            "http://pegasus.diskel.co.uk/ [phishing]",
            "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
            "fds.cellebrite.com",
            "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
            "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
            "http://download.virtualbox.org/virtualbox/debian",
            "match.pegasus.isi.edu",
            "asp.net",
            "http://dropbox.com/ [ intrusions/ dropbox stealer]"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1588.004",
              "name": "Digital Certificates",
              "display_name": "T1588.004 - Digital Certificates"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            }
          ],
          "industries": [
            "Individual",
            "Patient",
            "Healthcare",
            "Survivor"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 23,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 2,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3157,
            "domain": 2903,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13639,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "837 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a76c2901b34c79a681596d",
          "name": "Exodus l Cellbrite | Brian Sabey | HallRender | Tulach",
          "description": "Brian Sabey of Hall Render Law firm is incredibly entrenched in spying on a single target. Having made contact,impersonal invitations to meet, filing a lawsuit dismissed by a judge , paying to silence SA victim and spending many years spying, destroying digital profile m libel, malvertizing is concerning. \nConsidering Brashears death threats, following ,  being approached and attempts on her personal safety is unwarranted. Brashears was the confirmed victim of life threatening SA. How does the Federal Government allow this? Found embedded in Brashears link that came from her iPhone.",
          "modified": "2024-02-16T05:03:15.321000",
          "created": "2024-01-17T05:56:57.948000",
          "tags": [
            "ssl certificate",
            "network",
            "malware",
            "whois record",
            "contacted",
            "pegasus",
            "resolutions",
            "communicating",
            "sa victim",
            "assaulter",
            "quasar",
            "brian sabey",
            "go.sabey",
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "urls https",
            "samples",
            "united",
            "aaaa",
            "status",
            "susp",
            "search",
            "passive dns",
            "urls",
            "domain",
            "creation date",
            "date",
            "next",
            "show",
            "domain related",
            "feeds ioc",
            "maltiverse",
            "analyze",
            "scan endpoints",
            "all octoseek",
            "url https",
            "pulse pulses",
            "http",
            "ip address",
            "related nids",
            "files location",
            "all search",
            "otx octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "files",
            "china unknown",
            "as4134 chinanet",
            "unknown",
            "name servers",
            "showing",
            "namesilo",
            "domain name",
            "dynadot llc",
            "as8075",
            "script urls",
            "netherlands",
            "a domains",
            "capture",
            "asnone united",
            "record value",
            "expiration date",
            "entries",
            "cname",
            "tulach",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "server",
            "available from",
            "iana id",
            "registrar abuse",
            "registrar url",
            "registrar whois",
            "abuse contact",
            "email",
            "registry domain",
            "code",
            "win32 exe",
            "ufed iphone",
            "cellebrite ufed",
            "setup",
            "tjprojmain",
            "ufed4pc",
            "win32 dll",
            "detections type",
            "name",
            "responder",
            "exodus",
            "android",
            "office open",
            "xml document",
            "cellebrite",
            "type name",
            "pdf cellebrite",
            "ufed release",
            "cellbrite",
            "privilege https",
            "targets sa",
            "survivor",
            "getprocaddress",
            "indicator",
            "prefetch8",
            "mitre att",
            "ck id",
            "show technique",
            "ck matrix",
            "file",
            "pattern match",
            "observed email",
            "path",
            "factory",
            "hybrid",
            "general",
            "model",
            "comspec",
            "click",
            "title",
            "page",
            "body doctype",
            "quoth",
            "raven",
            "gmt content",
            "type",
            "vary",
            "accept",
            "october",
            "december",
            "copy",
            "execution",
            "awful",
            "referrer",
            "april",
            "kimsuky",
            "malicious",
            "crypto",
            "startpage",
            "hacktool",
            "installer",
            "tofsee",
            "historical ssl",
            "threat roundup",
            "phishing",
            "utc submissions",
            "submitters",
            "csc corporate",
            "domains",
            "twitter",
            "dropbox",
            "incapsula",
            "summary iocs",
            "graph community",
            "registrarsafe",
            "gandi sas",
            "google llc",
            "amazon02",
            "google",
            "akamaias",
            "facebook",
            "service",
            "patch",
            "namecheapnet",
            "cloudflarenet",
            "amazonaes",
            "gmo internet",
            "apple",
            "tsara brashears",
            "keylogger"
          ],
          "references": [
            "https://tulach.cc/",
            "cellebrite.com | https://cellebrite.com/en/federal-government/",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "https://twitter.com/PORNO_SEXYBABES",
            "hanmail.net",
            "114.114.114.114",
            "work.a-poster.info",
            "www-stage40.pornhub.com",
            "go.sabey.com",
            "sabey.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Exodus",
              "display_name": "Exodus",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "PWS:Win32/Raven",
              "display_name": "PWS:Win32/Raven",
              "target": "/malware/PWS:Win32/Raven"
            },
            {
              "id": "Kimsuky",
              "display_name": "Kimsuky",
              "target": null
            },
            {
              "id": "VirTool:Win32/Tofsee",
              "display_name": "VirTool:Win32/Tofsee",
              "target": "/malware/VirTool:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 20,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4101,
            "FileHash-MD5": 322,
            "FileHash-SHA1": 296,
            "FileHash-SHA256": 3155,
            "domain": 2894,
            "hostname": 2847,
            "CVE": 2,
            "email": 9,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 13628,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "837 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65a4880cf26f0feaf9a75648",
          "name": "Formbook",
          "description": "",
          "modified": "2024-02-13T08:03:20.064000",
          "created": "2024-01-15T01:19:08.041000",
          "tags": [
            "ssl certificate",
            "contacted",
            "execution",
            "ah6itbtgl",
            "whois record",
            "historical ssl",
            "referrer",
            "subdomains",
            "resolutions",
            "formbook",
            "threat roundup",
            "malware",
            "metro",
            "social engineering",
            "jansky",
            "script urls",
            "a domains",
            "united",
            "search",
            "date",
            "script domains",
            "creation date",
            "record value",
            "showing",
            "unknown",
            "meta",
            "body",
            "encrypt",
            "as63949 linode",
            "as41357",
            "united kingdom",
            "scan endpoints",
            "all octoseek",
            "domain",
            "pulse submit",
            "url analysis",
            "server",
            "registrar abuse",
            "iana id",
            "contact phone",
            "domain status",
            "registrar url",
            "registrar whois",
            "email",
            "registry domain",
            "win32 exe",
            "javascript",
            "eqsray",
            "zip blaze",
            "ms excel",
            "detections type",
            "name",
            "text",
            "csv order",
            "files",
            "microsoft",
            "dns replication",
            "bt6lcuigydc9yc",
            "jxaavf4jnzza0",
            "submission",
            "community score",
            "no security",
            "graph api",
            "status",
            "content type",
            "xcitium verdict",
            "cloud marketing",
            "history first",
            "thebrotherssabey",
            "passive dns",
            "gmt content",
            "plesklin",
            "ipv4",
            "pulse pulses",
            "urls",
            "vbs",
            "data center",
            "reverse dns",
            "first",
            "utc submissions",
            "submitters",
            "bbonline uk",
            "namecheap inc",
            "summary iocs",
            "graph community",
            "ionos se",
            "keysystems gmbh",
            "record type",
            "ttl value",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus cnr3",
            "olet",
            "subject public",
            "key info",
            "key algorithm",
            "ec oid",
            "sabey",
            "all search",
            "otx octoseek",
            "url http",
            "http",
            "hostname",
            "files domain",
            "msie",
            "chrome",
            "expiration date",
            "next",
            "whois lookup",
            "dnssec",
            "domain name",
            "abuse contact",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "cname",
            "as44273 host",
            "ip address"
          ],
          "references": [
            "appleremote.net",
            "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111",
            "FormBook",
            "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc",
            "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020",
            "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65a39f005c7f0a1c1eb33125",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1650,
            "hostname": 1778,
            "domain": 2102,
            "URL": 4435,
            "FileHash-MD5": 100,
            "FileHash-SHA1": 119,
            "email": 2,
            "CIDR": 1
          },
          "indicator_count": 10187,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "840 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659261d5965b4824d1606cf9",
          "name": "Pegasus - a-poster.info",
          "description": "",
          "modified": "2024-01-31T04:00:35.757000",
          "created": "2024-01-01T06:55:17.262000",
          "tags": [
            "no expiration",
            "domain",
            "hostname",
            "ipv4",
            "expiration",
            "iocs",
            "ipv6",
            "url http",
            "url https",
            "next",
            "filehashmd5",
            "filehashsha1",
            "filehashsha256",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "cidr",
            "pcap",
            "stix",
            "subid",
            "mtsub26293293",
            "dashboard",
            "browse scan",
            "endpoints all",
            "octoseek",
            "a poster",
            "apple",
            "apple id",
            "apple engineering",
            "icloud",
            "tulach",
            "hallrender",
            "ck matrix",
            "ck id",
            "xobo",
            "a nxdomain",
            "sabey",
            "aaaa",
            "win32",
            "briansabey",
            "brian",
            "brian sabey",
            "urls https",
            "unknown urls",
            "united",
            "ttl value",
            "tsara brashears",
            "trojan",
            "tracker",
            "tofsee",
            "threat analyzer",
            "threat",
            "temp",
            "teams api",
            "subdomains",
            "active",
            "active threat",
            "strings",
            "status codes",
            "japan national police agency",
            "pegasus",
            "china",
            "aig",
            "ssl certificate",
            "accept",
            "ssh on server",
            "speakez securus",
            "show technique",
            "https",
            "relay",
            "state",
            "android",
            "address",
            "aposter",
            "workaposter",
            "sha256",
            "showing",
            "simple",
            "span",
            "small",
            "serving ip",
            "script",
            "search",
            "root",
            "ca",
            "samples",
            "root ca",
            "resolutions",
            "remote",
            "relay",
            "relacion",
            "referrer",
            "record value",
            "applenoc",
            "as16625",
            "attack",
            "apple attack",
            "bundled",
            "canvas",
            "mitre attk",
            "brute force passwords",
            "body length",
            "body",
            "backdoor",
            "bellsouth",
            "bahamut",
            "bell south",
            "mitre",
            "cellbrite",
            "class",
            "click",
            "authority",
            "contentencoding",
            "akamai",
            "as20940",
            "as24940 hetzner",
            "as58061 scalaxy",
            "scalaxy",
            "as714",
            "critical",
            "communicating",
            "quasar",
            "trojan",
            "et",
            "icefog",
            "pegasus",
            "tofsee",
            "cmd",
            "crypto",
            "error",
            "dns replication",
            "domain entries",
            "et cins",
            "execution",
            "cname",
            "config",
            "contact",
            "contacted",
            "copy",
            "creation date",
            "formbook",
            "jekyll",
            "graph",
            "germany unknown",
            "generator",
            "general",
            "forbidden",
            "falcon sandbox",
            "ssl hostname",
            "false",
            "file",
            "final url",
            "final url summary",
            "hashes files",
            "headers nel",
            "historical",
            "malicious host",
            "malvertizing",
            "malware",
            "tagging",
            "contextualizing",
            "localappdata",
            "install",
            "installer",
            "ioc search",
            "iocs kb",
            "body",
            "local",
            "United states",
            "name",
            "name servers",
            "mitre att",
            "metro",
            "meta",
            "mail spammer",
            "submit",
            "submit quasar",
            "phishing",
            "pattern match",
            "paste",
            "passive dns",
            "nxdomain",
            "national police agency japan",
            "network",
            "verdict",
            "cmd",
            "sandbox",
            "http response",
            "record type",
            "phishing",
            "nuance",
            "next",
            "new ioc",
            "subdomains",
            "germany",
            "reinsurance",
            "nuance",
            "cybercrime",
            "tracking",
            "cyber stalking",
            "fear",
            "masquerading",
            "cobalt strike"
          ],
          "references": [
            "a-poster.info",
            "https://tulach.cc/",
            "images.ctfassets.net",
            "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]",
            "nr-data.net [Apple Private Data Collection]",
            "http://gmpg.org/xfn/11 [HTTrack]",
            "192.229.211.108 [Tracking & Virus Network]",
            "me.com [Pegasus]",
            "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
            "37.1.217.172 [scanning host]",
            "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "IceFog",
              "display_name": "IceFog",
              "target": null
            },
            {
              "id": "Pegasus - MOB-S0005",
              "display_name": "Pegasus - MOB-S0005",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Trojan",
              "display_name": "Trojan",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Appleservice",
              "display_name": "Appleservice",
              "target": null
            },
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1156",
              "name": "Malicious Shell Modification",
              "display_name": "T1156 - Malicious Shell Modification"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            }
          ],
          "industries": [
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 41,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4719,
            "domain": 2497,
            "hostname": 3549,
            "FileHash-MD5": 4118,
            "FileHash-SHA1": 3496,
            "FileHash-SHA256": 5861,
            "CIDR": 12,
            "email": 17
          },
          "indicator_count": 24269,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "853 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659261e2290ac1ecc5d9ca74",
          "name": "Pegasus - a-poster.info",
          "description": "",
          "modified": "2024-01-31T04:00:35.757000",
          "created": "2024-01-01T06:55:30.771000",
          "tags": [
            "no expiration",
            "domain",
            "hostname",
            "ipv4",
            "expiration",
            "iocs",
            "ipv6",
            "url http",
            "url https",
            "next",
            "filehashmd5",
            "filehashsha1",
            "filehashsha256",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "cidr",
            "pcap",
            "stix",
            "subid",
            "mtsub26293293",
            "dashboard",
            "browse scan",
            "endpoints all",
            "octoseek",
            "a poster",
            "apple",
            "apple id",
            "apple engineering",
            "icloud",
            "tulach",
            "hallrender",
            "ck matrix",
            "ck id",
            "xobo",
            "a nxdomain",
            "sabey",
            "aaaa",
            "win32",
            "briansabey",
            "brian",
            "brian sabey",
            "urls https",
            "unknown urls",
            "united",
            "ttl value",
            "tsara brashears",
            "trojan",
            "tracker",
            "tofsee",
            "threat analyzer",
            "threat",
            "temp",
            "teams api",
            "subdomains",
            "active",
            "active threat",
            "strings",
            "status codes",
            "japan national police agency",
            "pegasus",
            "china",
            "aig",
            "ssl certificate",
            "accept",
            "ssh on server",
            "speakez securus",
            "show technique",
            "https",
            "relay",
            "state",
            "android",
            "address",
            "aposter",
            "workaposter",
            "sha256",
            "showing",
            "simple",
            "span",
            "small",
            "serving ip",
            "script",
            "search",
            "root",
            "ca",
            "samples",
            "root ca",
            "resolutions",
            "remote",
            "relay",
            "relacion",
            "referrer",
            "record value",
            "applenoc",
            "as16625",
            "attack",
            "apple attack",
            "bundled",
            "canvas",
            "mitre attk",
            "brute force passwords",
            "body length",
            "body",
            "backdoor",
            "bellsouth",
            "bahamut",
            "bell south",
            "mitre",
            "cellbrite",
            "class",
            "click",
            "authority",
            "contentencoding",
            "akamai",
            "as20940",
            "as24940 hetzner",
            "as58061 scalaxy",
            "scalaxy",
            "as714",
            "critical",
            "communicating",
            "quasar",
            "trojan",
            "et",
            "icefog",
            "pegasus",
            "tofsee",
            "cmd",
            "crypto",
            "error",
            "dns replication",
            "domain entries",
            "et cins",
            "execution",
            "cname",
            "config",
            "contact",
            "contacted",
            "copy",
            "creation date",
            "formbook",
            "jekyll",
            "graph",
            "germany unknown",
            "generator",
            "general",
            "forbidden",
            "falcon sandbox",
            "ssl hostname",
            "false",
            "file",
            "final url",
            "final url summary",
            "hashes files",
            "headers nel",
            "historical",
            "malicious host",
            "malvertizing",
            "malware",
            "tagging",
            "contextualizing",
            "localappdata",
            "install",
            "installer",
            "ioc search",
            "iocs kb",
            "body",
            "local",
            "United states",
            "name",
            "name servers",
            "mitre att",
            "metro",
            "meta",
            "mail spammer",
            "submit",
            "submit quasar",
            "phishing",
            "pattern match",
            "paste",
            "passive dns",
            "nxdomain",
            "national police agency japan",
            "network",
            "verdict",
            "cmd",
            "sandbox",
            "http response",
            "record type",
            "phishing",
            "nuance",
            "next",
            "new ioc",
            "subdomains",
            "germany",
            "reinsurance",
            "nuance",
            "cybercrime",
            "tracking",
            "cyber stalking",
            "fear",
            "masquerading",
            "cobalt strike"
          ],
          "references": [
            "a-poster.info",
            "https://tulach.cc/",
            "images.ctfassets.net",
            "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]",
            "nr-data.net [Apple Private Data Collection]",
            "http://gmpg.org/xfn/11 [HTTrack]",
            "192.229.211.108 [Tracking & Virus Network]",
            "me.com [Pegasus]",
            "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
            "37.1.217.172 [scanning host]",
            "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "IceFog",
              "display_name": "IceFog",
              "target": null
            },
            {
              "id": "Pegasus - MOB-S0005",
              "display_name": "Pegasus - MOB-S0005",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Trojan",
              "display_name": "Trojan",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Appleservice",
              "display_name": "Appleservice",
              "target": null
            },
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1156",
              "name": "Malicious Shell Modification",
              "display_name": "T1156 - Malicious Shell Modification"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            }
          ],
          "industries": [
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 33,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4695,
            "domain": 2494,
            "hostname": 3547,
            "FileHash-MD5": 4118,
            "FileHash-SHA1": 3496,
            "FileHash-SHA256": 5841,
            "CIDR": 12,
            "email": 17
          },
          "indicator_count": 24220,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "853 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6544cbbca7610e92e4262c47",
          "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting",
          "description": "",
          "modified": "2023-11-29T14:03:31.663000",
          "created": "2023-11-03T10:30:20.965000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "referrer",
            "communicating",
            "resolutions",
            "historical ssl",
            "whois whois",
            "http",
            "critical risk",
            "dark power",
            "cobalt strike",
            "malware",
            "core",
            "critical",
            "copy",
            "formbook",
            "submission",
            "sophos sophos",
            "xcitium verdict",
            "cloud xcitium",
            "verdict cloud",
            "history first",
            "analysis",
            "utc http",
            "response final",
            "url https",
            "march",
            "execution",
            "falcon sandbox",
            "pattern match",
            "changelog",
            "header",
            "layer",
            "data",
            "ipv4",
            "function",
            "file",
            "et tor",
            "known tor",
            "meta",
            "monitoring",
            "date",
            "body",
            "form",
            "august",
            "june",
            "friendly",
            "main",
            "footer",
            "unknown",
            "hybrid",
            "general",
            "click",
            "strings",
            "class",
            "generator",
            "error",
            "pe resource",
            "redline stealer",
            "april",
            "lockbit",
            "emotet",
            "hacktool",
            "apple",
            "tsara brashears",
            "tmobile",
            "pyinstaller",
            "password",
            "dns poisoning",
            "domains",
            "abuse",
            "kiannas law",
            "cyber security",
            "cisco umbrella",
            "site",
            "malware site",
            "malicious site",
            "safe site",
            "alexa top",
            "million",
            "phishing site",
            "team phishing",
            "exploit",
            "download",
            "unruy",
            "alexa",
            "riskware",
            "back",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "team",
            "cutwail",
            "adload",
            "maltiverse",
            "kryptik",
            "united",
            "cyber threat",
            "engineering",
            "bambernek",
            "strike",
            "zbot",
            "suppobox",
            "malicious",
            "ransomware",
            "virut",
            "bandoo",
            "matsnu",
            "iframe",
            "zeus",
            "agent",
            "steam",
            "nymaim",
            "citadel",
            "heur",
            "covid19",
            "simda",
            "artemis",
            "bradesco",
            "pony",
            "pykspa",
            "sodinokibi",
            "betabot",
            "virustotal",
            "tinba",
            "domaiq",
            "ave maria",
            "revil",
            "downloader",
            "tofsee",
            "vawtrak",
            "hotmail",
            "dnspionage",
            "nexus",
            "generic",
            "andromeda",
            "dropper",
            "crypt",
            "outbreak",
            "wacatac",
            "mimikatz",
            "trojanx",
            "astaroth",
            "keybase",
            "stealer",
            "radamant",
            "kovter",
            "unsafe",
            "win64",
            "conduit",
            "presenoker",
            "opencandy",
            "remcos",
            "miner",
            "agenttesla",
            "trojan",
            "detplock",
            "networm",
            "fusioncore",
            "acint",
            "installpack",
            "xtrat",
            "nircmd",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "nanocore",
            "keygen",
            "fareit",
            "secrisk",
            "fakealert",
            "filetour",
            "installcore",
            "floxif",
            "cleaner",
            "patcher",
            "kgs0",
            "kls0",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist http",
            "samples",
            "blacklist"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Kryptik",
              "display_name": "Kryptik",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            }
          ],
          "industries": [
            "Health"
          ],
          "TLP": "green",
          "cloned_from": "654140bae73f795aa914e8de",
          "export_count": 108,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 518,
            "FileHash-SHA1": 507,
            "FileHash-SHA256": 10945,
            "URL": 19764,
            "domain": 5110,
            "hostname": 8668,
            "CIDR": 2,
            "CVE": 24
          },
          "indicator_count": 45538,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "915 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "654140bae73f795aa914e8de",
          "name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
          "description": "",
          "modified": "2023-11-29T14:03:31.663000",
          "created": "2023-10-31T18:00:26.439000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "referrer",
            "communicating",
            "resolutions",
            "historical ssl",
            "whois whois",
            "http",
            "critical risk",
            "dark power",
            "cobalt strike",
            "malware",
            "core",
            "critical",
            "copy",
            "formbook",
            "submission",
            "sophos sophos",
            "xcitium verdict",
            "cloud xcitium",
            "verdict cloud",
            "history first",
            "analysis",
            "utc http",
            "response final",
            "url https",
            "march",
            "execution",
            "falcon sandbox",
            "pattern match",
            "changelog",
            "header",
            "layer",
            "data",
            "ipv4",
            "function",
            "file",
            "et tor",
            "known tor",
            "meta",
            "monitoring",
            "date",
            "body",
            "form",
            "august",
            "june",
            "friendly",
            "main",
            "footer",
            "unknown",
            "hybrid",
            "general",
            "click",
            "strings",
            "class",
            "generator",
            "error",
            "pe resource",
            "redline stealer",
            "april",
            "lockbit",
            "emotet",
            "hacktool",
            "apple",
            "tsara brashears",
            "tmobile",
            "pyinstaller",
            "password",
            "dns poisoning",
            "domains",
            "abuse",
            "kiannas law",
            "cyber security",
            "cisco umbrella",
            "site",
            "malware site",
            "malicious site",
            "safe site",
            "alexa top",
            "million",
            "phishing site",
            "team phishing",
            "exploit",
            "download",
            "unruy",
            "alexa",
            "riskware",
            "back",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "team",
            "cutwail",
            "adload",
            "maltiverse",
            "kryptik",
            "united",
            "cyber threat",
            "engineering",
            "bambernek",
            "strike",
            "zbot",
            "suppobox",
            "malicious",
            "ransomware",
            "virut",
            "bandoo",
            "matsnu",
            "iframe",
            "zeus",
            "agent",
            "steam",
            "nymaim",
            "citadel",
            "heur",
            "covid19",
            "simda",
            "artemis",
            "bradesco",
            "pony",
            "pykspa",
            "sodinokibi",
            "betabot",
            "virustotal",
            "tinba",
            "domaiq",
            "ave maria",
            "revil",
            "downloader",
            "tofsee",
            "vawtrak",
            "hotmail",
            "dnspionage",
            "nexus",
            "generic",
            "andromeda",
            "dropper",
            "crypt",
            "outbreak",
            "wacatac",
            "mimikatz",
            "trojanx",
            "astaroth",
            "keybase",
            "stealer",
            "radamant",
            "kovter",
            "unsafe",
            "win64",
            "conduit",
            "presenoker",
            "opencandy",
            "remcos",
            "miner",
            "agenttesla",
            "trojan",
            "detplock",
            "networm",
            "fusioncore",
            "acint",
            "installpack",
            "xtrat",
            "nircmd",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "nanocore",
            "keygen",
            "fareit",
            "secrisk",
            "fakealert",
            "filetour",
            "installcore",
            "floxif",
            "cleaner",
            "patcher",
            "kgs0",
            "kls0",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist http",
            "samples",
            "blacklist"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Kryptik",
              "display_name": "Kryptik",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            }
          ],
          "industries": [
            "Health"
          ],
          "TLP": "green",
          "cloned_from": "65401d73e96dd70037ed22a7",
          "export_count": 98,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 518,
            "FileHash-SHA1": 507,
            "FileHash-SHA256": 10945,
            "URL": 19764,
            "domain": 5110,
            "hostname": 8668,
            "CIDR": 2,
            "CVE": 24
          },
          "indicator_count": 45538,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "915 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65403022038832e42175601f",
          "name": "CRITICAL!!! | Health Insurance Cyber threat Matrix - Darkside 2020 Ecosystem .BEware ",
          "description": "",
          "modified": "2023-11-29T14:03:31.663000",
          "created": "2023-10-30T22:37:22.425000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "referrer",
            "communicating",
            "resolutions",
            "historical ssl",
            "whois whois",
            "http",
            "critical risk",
            "dark power",
            "cobalt strike",
            "malware",
            "core",
            "critical",
            "copy",
            "formbook",
            "submission",
            "sophos sophos",
            "xcitium verdict",
            "cloud xcitium",
            "verdict cloud",
            "history first",
            "analysis",
            "utc http",
            "response final",
            "url https",
            "march",
            "execution",
            "falcon sandbox",
            "pattern match",
            "changelog",
            "header",
            "layer",
            "data",
            "ipv4",
            "function",
            "file",
            "et tor",
            "known tor",
            "meta",
            "monitoring",
            "date",
            "body",
            "form",
            "august",
            "june",
            "friendly",
            "main",
            "footer",
            "unknown",
            "hybrid",
            "general",
            "click",
            "strings",
            "class",
            "generator",
            "error",
            "pe resource",
            "redline stealer",
            "april",
            "lockbit",
            "emotet",
            "hacktool",
            "apple",
            "tsara brashears",
            "tmobile",
            "pyinstaller",
            "password",
            "dns poisoning",
            "domains",
            "abuse",
            "kiannas law",
            "cyber security",
            "cisco umbrella",
            "site",
            "malware site",
            "malicious site",
            "safe site",
            "alexa top",
            "million",
            "phishing site",
            "team phishing",
            "exploit",
            "download",
            "unruy",
            "alexa",
            "riskware",
            "back",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "team",
            "cutwail",
            "adload",
            "maltiverse",
            "kryptik",
            "united",
            "cyber threat",
            "engineering",
            "bambernek",
            "strike",
            "zbot",
            "suppobox",
            "malicious",
            "ransomware",
            "virut",
            "bandoo",
            "matsnu",
            "iframe",
            "zeus",
            "agent",
            "steam",
            "nymaim",
            "citadel",
            "heur",
            "covid19",
            "simda",
            "artemis",
            "bradesco",
            "pony",
            "pykspa",
            "sodinokibi",
            "betabot",
            "virustotal",
            "tinba",
            "domaiq",
            "ave maria",
            "revil",
            "downloader",
            "tofsee",
            "vawtrak",
            "hotmail",
            "dnspionage",
            "nexus",
            "generic",
            "andromeda",
            "dropper",
            "crypt",
            "outbreak",
            "wacatac",
            "mimikatz",
            "trojanx",
            "astaroth",
            "keybase",
            "stealer",
            "radamant",
            "kovter",
            "unsafe",
            "win64",
            "conduit",
            "presenoker",
            "opencandy",
            "remcos",
            "miner",
            "agenttesla",
            "trojan",
            "detplock",
            "networm",
            "fusioncore",
            "acint",
            "installpack",
            "xtrat",
            "nircmd",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "nanocore",
            "keygen",
            "fareit",
            "secrisk",
            "fakealert",
            "filetour",
            "installcore",
            "floxif",
            "cleaner",
            "patcher",
            "kgs0",
            "kls0",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist http",
            "samples",
            "blacklist"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Kryptik",
              "display_name": "Kryptik",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            }
          ],
          "industries": [
            "Health"
          ],
          "TLP": "green",
          "cloned_from": "65402a8dec948bec8b0a0372",
          "export_count": 95,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 518,
            "FileHash-SHA1": 507,
            "FileHash-SHA256": 8601,
            "URL": 7499,
            "domain": 4604,
            "hostname": 4187,
            "CIDR": 2,
            "CVE": 23,
            "URI": 1
          },
          "indicator_count": 25942,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "915 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65402a8dec948bec8b0a0372",
          "name": "24 CVE's | Health Liability bDarkside 2020 Ecosystem .BEware",
          "description": "Matrix of cyber crime attacks appears to involved legal entities and a division of Workers Compensation Colorado, possibly used nationally. Targeting, monitoring, tracking, malvertizing, cyber attacks, CNC. Critical.\nCould probably be disputed $$$$ though undisputable. \nEd Said. \nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar\t\t\t\nCVE-2020-0601\t\t\t\t\t\nCVE-2018-8174\t\t\t\nCVE-2018-4893\t\t\t\nCVE-2018-0802\t\t\t\nCVE-2017-8759\t\t\t\t\t\t\nCVE-2017-8464\t\t\t\nCVE-2017-1188\t\t\t\t\nCVE-2017-0143\t\t\t\nCVE-2016-7262\t\t\t\nCVE-2014-6352\t\t\t\nCVE-2013-2465\t\t\t\nCVE-2011-2110\t\t\t\nCVE-2011-0609\t\t\t\nCVE-2010-2568\t\t\t\nCVE-2018-8453\t\t\t\nCVE-2013-1331\nCVE-2012-1856\t\t\t\t\nCVE-2012-0158\t\t\t\t\t\t\nCVE-2017-8570\t\t\t\nCVE-2017-11882\t\t\t\nCVE-2017-0199\t\t\t\t\t\t\nCVE-2017-0147\t\t\t\t\t\t\nCVE-2014-3153",
          "modified": "2023-11-29T14:03:31.663000",
          "created": "2023-10-30T22:13:33.427000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "referrer",
            "communicating",
            "resolutions",
            "historical ssl",
            "whois whois",
            "http",
            "critical risk",
            "dark power",
            "cobalt strike",
            "malware",
            "core",
            "critical",
            "copy",
            "formbook",
            "submission",
            "sophos sophos",
            "xcitium verdict",
            "cloud xcitium",
            "verdict cloud",
            "history first",
            "analysis",
            "utc http",
            "response final",
            "url https",
            "march",
            "execution",
            "falcon sandbox",
            "pattern match",
            "changelog",
            "header",
            "layer",
            "data",
            "ipv4",
            "function",
            "file",
            "et tor",
            "known tor",
            "meta",
            "monitoring",
            "date",
            "body",
            "form",
            "august",
            "june",
            "friendly",
            "main",
            "footer",
            "unknown",
            "hybrid",
            "general",
            "click",
            "strings",
            "class",
            "generator",
            "error",
            "pe resource",
            "redline stealer",
            "april",
            "lockbit",
            "emotet",
            "hacktool",
            "apple",
            "tsara brashears",
            "tmobile",
            "pyinstaller",
            "password",
            "dns poisoning",
            "domains",
            "abuse",
            "kiannas law",
            "cyber security",
            "cisco umbrella",
            "site",
            "malware site",
            "malicious site",
            "safe site",
            "alexa top",
            "million",
            "phishing site",
            "team phishing",
            "exploit",
            "download",
            "unruy",
            "alexa",
            "riskware",
            "back",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "team",
            "cutwail",
            "adload",
            "maltiverse",
            "kryptik",
            "united",
            "cyber threat",
            "engineering",
            "bambernek",
            "strike",
            "zbot",
            "suppobox",
            "malicious",
            "ransomware",
            "virut",
            "bandoo",
            "matsnu",
            "iframe",
            "zeus",
            "agent",
            "steam",
            "nymaim",
            "citadel",
            "heur",
            "covid19",
            "simda",
            "artemis",
            "bradesco",
            "pony",
            "pykspa",
            "sodinokibi",
            "betabot",
            "virustotal",
            "tinba",
            "domaiq",
            "ave maria",
            "revil",
            "downloader",
            "tofsee",
            "vawtrak",
            "hotmail",
            "dnspionage",
            "nexus",
            "generic",
            "andromeda",
            "dropper",
            "crypt",
            "outbreak",
            "wacatac",
            "mimikatz",
            "trojanx",
            "astaroth",
            "keybase",
            "stealer",
            "radamant",
            "kovter",
            "unsafe",
            "win64",
            "conduit",
            "presenoker",
            "opencandy",
            "remcos",
            "miner",
            "agenttesla",
            "trojan",
            "detplock",
            "networm",
            "fusioncore",
            "acint",
            "installpack",
            "xtrat",
            "nircmd",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "nanocore",
            "keygen",
            "fareit",
            "secrisk",
            "fakealert",
            "filetour",
            "installcore",
            "floxif",
            "cleaner",
            "patcher",
            "kgs0",
            "kls0",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist http",
            "samples",
            "blacklist"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Kryptik",
              "display_name": "Kryptik",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            }
          ],
          "industries": [
            "Health"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 92,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 518,
            "FileHash-SHA1": 507,
            "FileHash-SHA256": 8601,
            "URL": 7499,
            "domain": 4603,
            "hostname": 4187,
            "CIDR": 2,
            "CVE": 23
          },
          "indicator_count": 25940,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 223,
          "modified_text": "915 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65401fddb74fe1ea8506132d",
          "name": "Darkside 2020 Ecosystem  .BEware | BGP.tools | Target Tsara Brashears",
          "description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover ,  disabled. overly curious and hacked. HELP. SCARED",
          "modified": "2023-11-29T14:03:31.663000",
          "created": "2023-10-30T21:27:57.026000",
          "tags": [
            "ssl certificate",
            "whois record",
            "contacted",
            "referrer",
            "communicating",
            "resolutions",
            "historical ssl",
            "whois whois",
            "http",
            "critical risk",
            "dark power",
            "cobalt strike",
            "malware",
            "core",
            "critical",
            "copy",
            "formbook",
            "submission",
            "sophos sophos",
            "xcitium verdict",
            "cloud xcitium",
            "verdict cloud",
            "history first",
            "analysis",
            "utc http",
            "response final",
            "url https",
            "march",
            "execution",
            "falcon sandbox",
            "pattern match",
            "changelog",
            "header",
            "layer",
            "data",
            "ipv4",
            "function",
            "file",
            "et tor",
            "known tor",
            "meta",
            "monitoring",
            "date",
            "body",
            "form",
            "august",
            "june",
            "friendly",
            "main",
            "footer",
            "unknown",
            "hybrid",
            "general",
            "click",
            "strings",
            "class",
            "generator",
            "error",
            "pe resource",
            "redline stealer",
            "april",
            "lockbit",
            "emotet",
            "hacktool",
            "apple",
            "tsara brashears",
            "tmobile",
            "pyinstaller",
            "password",
            "dns poisoning",
            "domains",
            "abuse",
            "kiannas law",
            "cyber security",
            "cisco umbrella",
            "site",
            "malware site",
            "malicious site",
            "safe site",
            "alexa top",
            "million",
            "phishing site",
            "team phishing",
            "exploit",
            "download",
            "unruy",
            "alexa",
            "riskware",
            "back",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "team",
            "cutwail",
            "adload",
            "maltiverse",
            "kryptik",
            "united",
            "cyber threat",
            "engineering",
            "bambernek",
            "strike",
            "zbot",
            "suppobox",
            "malicious",
            "ransomware",
            "virut",
            "bandoo",
            "matsnu",
            "iframe",
            "zeus",
            "agent",
            "steam",
            "nymaim",
            "citadel",
            "heur",
            "covid19",
            "simda",
            "artemis",
            "bradesco",
            "pony",
            "pykspa",
            "sodinokibi",
            "betabot",
            "virustotal",
            "tinba",
            "domaiq",
            "ave maria",
            "revil",
            "downloader",
            "tofsee",
            "vawtrak",
            "hotmail",
            "dnspionage",
            "nexus",
            "generic",
            "andromeda",
            "dropper",
            "crypt",
            "outbreak",
            "wacatac",
            "mimikatz",
            "trojanx",
            "astaroth",
            "keybase",
            "stealer",
            "radamant",
            "kovter",
            "unsafe",
            "win64",
            "conduit",
            "presenoker",
            "opencandy",
            "remcos",
            "miner",
            "agenttesla",
            "trojan",
            "detplock",
            "networm",
            "fusioncore",
            "acint",
            "installpack",
            "xtrat",
            "nircmd",
            "psexec",
            "occamy",
            "brontok",
            "zpevdo",
            "startpage",
            "nanocore",
            "keygen",
            "fareit",
            "secrisk",
            "fakealert",
            "filetour",
            "installcore",
            "floxif",
            "cleaner",
            "patcher",
            "kgs0",
            "kls0",
            "threat report",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist http",
            "samples",
            "blacklist"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Kryptik",
              "display_name": "Kryptik",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            }
          ],
          "industries": [
            "Health"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 92,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 518,
            "FileHash-SHA1": 507,
            "FileHash-SHA256": 8601,
            "URL": 7499,
            "domain": 4603,
            "hostname": 4187,
            "CIDR": 2,
            "CVE": 23
          },
          "indicator_count": 25940,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 223,
          "modified_text": "915 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "http://init-p01st.push.apple.com/bag [Apple Tracking]",
        "Tracking: mailtrack.io \u2022 nr-data.net \u2022 tracking.bullseyeedu.com \u2022 https://smtp.mail.pentrack.com \u2022 tracking.vetsindexes.com",
        "https://www.facebooksunglassshop.com/",
        "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]",
        "https://itunes.apple.com/app/apple-store/id284815942/us/app/image-recognition-and-searcher/id1450230225",
        "adsl-074-168-130-217.sip.pns.bellsouth.net",
        "sabey.com",
        "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21",
        "all-live.secure2storeapple.xxianzi.com \u2022 https://www.symbios.pk/apple-ipod-5-32gb",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "edgedl.me.gvt1.com",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "newbrazzers.com [y8.com]",
        "http://www.apple.com/certificateauthority/AppleAAI2CA.cer",
        "http://flexlucky.com/isurvey/en/?devicemodel=iPhone&carrier=\u00aeion=Tbilisi&brand=Apple&browser=GoogleApp&prize=cur&u=track.bawiwia.com&isp=JSCGlobalErty&ts=29900ce7-726c-4c9f-b0c3-21ff2f859648&country=GE&click_id=wuo4jm6db011lufu2f8h138c&partner=5658402&skip=yes&frame={frame}&cost=0.010100&lang=en",
        "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
        "api-stage.pornhub.com",
        "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb",
        "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound",
        "http://init-p01st.push.apple.com/bag [= Google.com.uy modified browser - malicious] apple.com-auth.eu \u2022 appleid.apple.com-auth.eu\u2022",
        "4jslg.sabeydatacenters.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption]",
        "http://subtitles.rest7.com/subs/The.Expanse.S03E11.720p.HDTV.x264-KILLERS[eztv].mkv",
        "hyundai-smg.com | http://hyundai-smg.com/index.php?route=information/contact | http://hyundai-smg.com/index.php?route=information/contact",
        "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community",
        "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "cellebrite.com | https://cellebrite.com/en/federal-government/",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
        "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8",
        "hanmail.net",
        "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85",
        "healthcare.greatcall.com [fake call centers | PHI & PII info stealers]",
        "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111",
        "enterprise.cellebrite.com",
        "URLs-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - urls.csv",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password decryption]",
        "https://t.me/hermitspyware/24",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL",
        "www-stage40.pornhub.com",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone",
        "114.114.114.114 [Tulach]",
        "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]",
        "2-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "https://viz.greynoise.io/query/AS4611",
        "http://pegasus.diskel.co.uk/ [phishing]",
        "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020",
        "http://download.virtualbox.org/virtualbox/debian",
        "http://www.apple.com/appleca/AppleIncRootCertificate.cer",
        "match.pegasus.isi.edu",
        "nsopit-ibgmc.acs-inc.com",
        "www2.blackbagtech.com [hidden users included]",
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "Pop: HIO50 C1 X Amz Cf Id: Jt aBPO2nI3Nt D0E4nzqpun66btDLhJ41kQwhDASrIukoWyUOWE1w==",
        "http://dropbox.com/ [ intrusions/ dropbox stealer]",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "images.ctfassets.net",
        "me.com [Pegasus]",
        "Link found in https://house.mo.com",
        "https://otx.alienvault.com/indicator/ip/74.6.231.21",
        "wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language",
        "https://tulach.cc/",
        "work.a-poster.info",
        "https://viz.greynoise.io/query/AS45090",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing \u2022 apple collection]",
        "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]",
        "https://twitter.com/PORNO_SEXYBABES",
        "192.229.211.108 [Tracking & Virus Network]",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
        "pornhub.com\t \u2022 www.pornhub.com",
        "attorney-marketing-specialists.com ?",
        "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA",
        "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE",
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE",
        "https://urlscan.io/asn/AS45090",
        "https://side3.com/ | webdisk.side3.com | (http://koshishmarketing.com/mo8igygw3uv/t4z68181/ | malware hosting)",
        "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c",
        "https://www.malwarebytes.com/emotet",
        "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551",
        "fds.cellebrite.com",
        "http://gmpg.org/xfn/11 [HTTrack]",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/  [ phishing | data collection | property theft | target]",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
        "http://www1.mychartahn.org/?tm=1&subid4=1671014887.0191400000&kw=Patient+Portal&KW1=Patient+Access+Network&KW2=Patient+Self+Check+In+System&KW3=Electronic+Health+Record+EHR+System&KW4=Patient+Appointment+Scheduling+System&KW5=Medical+Billing+System+Software&KW6=Patient+Financial+Assistance&searchbox=0&domainname=0&backfill=0",
        "https://www.virustotal.com/graph/g7a78c4f156e94fbbb3138d9e6b65fbdb093820b95fef440b967cc189faa5dc58",
        "https://cellebrite.com/en/federal-government/",
        "https://176.113.115.136/ohhiiiii/",
        "apple.com-auth.eu [Find apple] | https://applemusic-spotlight.myunidays.com/US/en-US? [compromise via apple media]",
        "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 [apple media compromise. Pega behavior?]",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a",
        "https://urlscan.io/asn/AS4611",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "https://www.esurance.com/",
        "palantir-staging.staging.candidate.app.paulsjob.ai",
        "wallpapers-nature.com",
        "https://cellebrite.com/en/federal-government/  [Pegasus ck privilege collection]",
        "FormBook",
        "hello-world-mute-unit-3072.a-rahimi-farahani.workers.dev",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "go.sabey.com",
        "http://www.apple.com/certificateauthority/AppleAAICAG3.cer",
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "osint-j2.cellebrite.com",
        "www.videolan.org [info solutions]",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "https://ispy-official.com/ X Cache: Redirect from cloudfront Via: 1.1 030fe0607711293dda988e571617a9f2.cloudfront.net CloudFront X Amz Cf",
        "http://watchhers.net/index.php [remote attackers | malware spreader]",
        "Hashes-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - files.csv",
        "ProflWiz.exe | 1993173153b9112833140c61f28232bd8af7df7a4891fa4796378a6647fe95e0",
        "cellebrite.com",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "appleremote.net",
        "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1",
        "http://m.xiang5.com/keyword/17655.html&ht=%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%8D%E8%B4%B9%E9%98%85%E8%AF%BB_%E9%98%BF%E6%BD%BC%E5%B0%8F%E8%AF%B4%E5%9C%A8%E7%BA%BF%E9%98%85%E8%AF%BB%E5%85%A8%E6%9C%AC%E6%97%A0%E5%BC%B9%E7%AA%97-%E9%A6%99%E7%BD%91%E5%B0%8F%E8%AF%B4%E6%89%8B%E6%9C%BA%E7%89%88&uaddr=https:/www.sogou.com/link?url=58p16RfDRLtDzo-0AEmfJoGs8rDRUEq4ejjohgXqBYnQGuHk6xSRXg..&h=1080&w=1920&cd=24&lg=zh-CN&ua=mozilla/5.0%20(windows%20nt%2010.0;%20win64;%20x64)%20",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be",
        "asp.net",
        "defenselawyernj.com",
        "https://tulach.cc/ |   [phishing | malware engineering]",
        "https://www.instagram.com/unipegasus_infotech_solutions/?hl=en",
        "https://plussizedesi.com/wp-content/uploads/2022/07/SniperGhostWarrior2BlackBox_Version_Download_INSTALL.pdf",
        "https://track.toccha.com/978eb025-0a62-46fa-827c-d71aa0524818?zoneid=5939372&ua=high&subzone_id=3038557&set=social&country=SY&region=49&isp=syriatelmobiletelecom&useragent=Mozilla/5.0",
        "Remote threats: http://watchhers.net/index.php \u2022 http://eye.infunvip.com/appinterface/other/login.remote",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "114.114.114.114",
        "37.1.217.172 [scanning host]",
        "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
        "https://sabeydatacenters.com/",
        "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt",
        "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]",
        "a-poster.info",
        "domains-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - domains.csv",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios",
        "ip-jwanihad - _No Problems__ Investigation of Distribution Vectors and Threat Network Infrastructure - ip_addresses.csv",
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "/Users/user1/Library/CloudStorage/OneDrive-ualberta.ca/No Problems/1. Data for No Problems - Analysis and Upload in Progress/VT IOCs Updated - in Progress/Virustotal IOCs 08.21.23 - 903am",
        "https://n0paste.eu/UH6n5pD/",
        "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
        "CVE-2017-0147 \u2022 CVE-2023-4966 \u2022 CVE-2023-22518",
        "nr-data.net [Apple Private Data Collection]",
        "sabeydatacenters.com",
        "appleaustralia.com",
        "nr-data.net  [Apple Private Data Collection]",
        "remote.aciscomputers.com"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
            "NSO GROUP"
          ],
          "malware_families": [
            "Tulach",
            "Formbook",
            "Muldrop",
            "#lowfitrojan:html/iframe",
            "Pegasus rdp module for windows",
            "Amadey",
            "#lowfi:hstr:win32/mediadownloader",
            "Pws:win32/raven",
            "Virtool:win32/tofsee",
            "#hstr:hacktool:win32/remoteshell",
            "#lowfi:exploit:java/cve-2012-0507",
            "Ransomware",
            "Appleservice",
            "Silent",
            "Alf:backdoor:powershell/reverseshell",
            "Kimsuky",
            "Pegasus - mob-s0005",
            "Pegasus for android - mob-s0032",
            "Hacktool",
            "Trojandownloader:linux/mirai",
            "Maltiverse",
            "Blacknet rat",
            "Invicta stealer",
            "Trojan:js/berbew",
            "Cobalt strike",
            "Go",
            "Mirai (windows)",
            "Graphite (pegasus variant)",
            "Pegasus for ios - s0289",
            "Hallrender",
            "Ransom:win32/cryptor",
            "Alf:backdoor:java/webshell",
            "Orcus rat",
            "Paragon (pegasus variant)",
            "Icefog",
            "Maui ransomware",
            "Win.packer.pkr_ce1a-9980177-0",
            "Careto",
            "Sibot",
            "Starfighter (javascript)",
            "Pegasus",
            "Androidoverlaymalware - mob-s0012",
            "Apnic",
            "Tofsee",
            "Pegasus for mac",
            "Zeroaccess - s0027",
            "Trojan:win32/kryptik",
            "Lolkek",
            "Alf:html/phishing",
            "Goldfinder",
            "Redline stealer",
            "Trojan:win32/comspec",
            "Quasar rat",
            "Trojan",
            "Sabey",
            "Emotet",
            "Virus:win32/grum",
            "Gandcrab",
            "Backdoor:linux/mirai",
            "Html smuggling",
            "Xloader for ios - s0490",
            "#lowfi:siga:trojandownloader:msil/genmaldow",
            "Kryptik",
            "Exodus",
            "Possible",
            "Njrat",
            "Skynet"
          ],
          "industries": [
            "Survivor",
            "Civil",
            "Civilians",
            "Patient",
            "Technology",
            "Entertainment",
            "Insurance",
            "Health",
            "Healthcare",
            "Telecommunications",
            "People",
            "Government",
            "Education",
            "Civil society",
            "Telecom",
            "Individual"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 50,
  "pulses": [
    {
      "id": "69ca5d583057aaefed16789a",
      "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
      "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
      "modified": "2026-04-29T11:26:13.615000",
      "created": "2026-03-30T11:24:08.053000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "default",
        "sha256",
        "sha1",
        "data",
        "info",
        "accept",
        "win64",
        "damage",
        "openssl",
        "shutdown",
        "direct",
        "explorer",
        "title",
        "payload",
        "rdap",
        "ip version",
        "address range",
        "cidr",
        "network name",
        "allocation type",
        "whois server",
        "entity sg679",
        "handle",
        "stealc config",
        "cncs http"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 351,
        "URL": 392,
        "FileHash-MD5": 149,
        "FileHash-SHA1": 168,
        "FileHash-SHA256": 197,
        "email": 12,
        "hostname": 68,
        "CIDR": 4
      },
      "indicator_count": 1341,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "34 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "695089cbedad5c86f39b1363",
      "name": "Tracking Domains 03.03.26 (Updated Test)",
      "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.",
      "modified": "2026-04-05T06:35:43.679000",
      "created": "2025-12-28T01:37:15.993000",
      "tags": [
        "privacy badger",
        "sites general",
        "settings widget",
        "domains manage",
        "data privacy",
        "badger",
        "hide"
      ],
      "references": [
        "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b",
        "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86",
        "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs",
        "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary",
        "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark",
        "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Healthcare",
        "Government",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 50404,
        "hostname": 10879,
        "URL": 715,
        "FileHash-MD5": 1
      },
      "indicator_count": 61999,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 132,
      "modified_text": "58 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b92a27c47d4e28927364",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:26.110000",
      "created": "2026-03-12T13:01:30.067000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 74,
      "modified_text": "81 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b9295603a6100edfa8c8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:25.387000",
      "created": "2026-03-12T13:01:29.284000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 70,
      "modified_text": "81 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927aa7f10e82639d204",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.872000",
      "created": "2026-03-12T13:01:27.872000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927c086397130c5d114",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.275000",
      "created": "2026-03-12T13:01:27.275000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b926871746ed8a1bc324",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:26.440000",
      "created": "2026-03-12T13:01:26.440000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b925e85c948d4dd608cc",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:25.852000",
      "created": "2026-03-12T13:01:25.852000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8e974189d2c41f07ed8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:25.910000",
      "created": "2026-03-12T13:00:25.910000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8e74d2b3effd55f88c3",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:23.173000",
      "created": "2026-03-12T13:00:23.173000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "81 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "daum.net",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "daum.net",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780404994.2917755
}