{ "type": "Domain", "indicator": "devk.de", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/devk.de", "alexa": "http://www.alexa.com/siteinfo/devk.de", "indicator": "devk.de", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3162394225, "indicator": "devk.de", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657080d20f7e10c1e37fcf89", "name": "TarrantCounty.com ~ 03.01.2022", "description": "", "modified": "2023-12-06T14:10:26.301000", "created": "2023-12-06T14:10:26.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1078, "domain": 838, "hostname": 1607, "URL": 4134, "email": 3, "FileHash-SHA1": 2, "CIDR": 4, "FileHash-MD5": 15 }, "indicator_count": 7681, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c231f263ca042121a81827", "name": "oracle is shocking", "description": "", "modified": "2022-08-03T00:05:10.569000", "created": "2022-07-04T00:18:58.267000", "tags": [ "span", "section", "button", "tbody", "script", "path", "java", "archive", "download", "cc02v0", "meta", "installer", "date", "iframe", "contact", "form", "service", "critical", "close", "alpha", "false", "click", "main", "energy", "life", "media", "write", "back", "widget", "tools", "protect", "april", "python", "ukraine", "indonesia", "middle", "facebook", "twitter" ], "references": [ "oracle com downl # java.pdf", "www.oracle.com - urlscan.io.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 956, "FileHash-SHA256": 237, "hostname": 197, "domain": 59, "FileHash-MD5": 2 }, "indicator_count": 1451, "is_author": false, "is_subscribing": null, "subscriber_count": 391, "modified_text": "1355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6294eb02fc943581d0bf4ef1", "name": "www.apple.com:airtag:?cid=CDM-USA-DM-P0021742-498177%22", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T16:04:18.749000", "tags": [], "references": [ "www.apple.com:airtag:?cid=CDM-USA-DM-P0021742-498177%22, %22request%22:.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 489, "hostname": 80, "domain": 38, "FileHash-SHA256": 518, "CIDR": 2, "FileHash-MD5": 5 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62951232023c3cdc0a0f7a1c", "name": "support.apple.com:de-de:HT204247%22", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T18:51:30.784000", "tags": [], "references": [ "support.apple.com:de-de:HT204247%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 423, "hostname": 188, "domain": 33, "FileHash-SHA256": 278, "CIDR": 3, "FileHash-MD5": 4 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261cdbea0bb54792ef9ac53", "name": "1and1.com - malware hosting and creation", "description": "Promise.com, or Promise.js, is a new type of word, and here is the full text of its first-ever translation:-a-word, a-d.", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T21:33:50.899000", "tags": [ "noclickid", "error", "aborted", "xmlhttprequest", "typeof e", "cx bus", "genesys telecom", "labs", "promise", "lnull", "typeof t", "date", "typeof", "typeof define", "installtrigger", "weakset", "sfunction", "uk tv", "regexp", "custom code", "typeerror", "sufeffxa0", "typeof symbol", "azaz09", "library loaded", "page top", "path", "query string", "customevent", "afunction", "string", "pfunction", "mfunction", "dfunction", "march", "typeof o", "null", "stackframe", "object", "function", "array", "definition", "rhino", "factory", "isnumber", "plugin", "chrome pdf", "rejected", "target", "event", "started", "engaged", "trident", "internal", "parseint", "growheight", "cdata", "this", "system", "named", "invalid hex3", "invalid hex6", "uinguserid", "functional", "member", "hnew regexp", "qfunction", "adview", "addbillinginfo", "addtocart", "addtolist", "contact", "download", "install", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "copyright", "closure library", "window", "value", "image", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "please", "april", "august", "close", "february", "june", "form", "klik", "click", "next", "blank", "este", "rserver", "mais", "void", "number", "uint8array", "fnumber", "xhfunction", "yhfunction", "aw10804098076", "code", "qe", "aw428360528", "aw10816288188", "aw10814683072" ], "references": [ "xfe-URL-Ionos.de-stix2-2.1-export.json", "xfe-URL-1and1.com-stix2-2.1-export.json", "https://www.googletagmanager.com/gtag/js?id=AW-10814683072&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-10816288188&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-476125975&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-428360528&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-10804098076&l=dataLayer&cx=c", "https://js-na1.hs-scripts.com/8230984.js", "https://js.hsleadflows.net/leadflows.js", "https://cdn.taboola.com/libtrc/unip/1123688/tfa.js", "https://pagead2.googlesyndication.com/pagead/js/r20220419/r20110914/elements/html/omrhp.js", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://amplify.outbrain.com/cp/obtp.js", "https://uir.uimserv.net/sid/", "https://apps.mypurecloud.de/journey/sdk/js/web/v1/ac.js", "https://www.ionos.com/modules/frontend-applications-common/script/components/stacktrace.js", "https://www.ionos.com/modules/hosting-common/script/privacy/bundle.js", "https://cdn.ionos.com/nk/9c2134ba72b4/6c2bd2fdffdc/launch-67fb473cc73f.min.js", "https://cdn.ionos.de/nk/9c2134ba72b4/6c2bd2fdffdc/0ced1406e60f/RC5068cb5aadbc4ec1a9aa72b8a74193e0-source.min.js", "https://unpkg.com/web-vitals@1.0.1/dist/web-vitals.umd.js", "https://apps.mypurecloud.de/widgets/9.0/cxbus.min.js", "https://tr.outbrain.com/cachedClickId?marketerId=001649abe8bf7b4d6841e1cae4cb770f72" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UK TV", "display_name": "UK TV", "target": null }, { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null }, { "id": "Qe", "display_name": "Qe", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "FileHash-SHA256": 402, "hostname": 1610, "domain": 553, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 6159, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62520e6c1b128fdbcaa87e4e", "name": "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20.0", "description": "", "modified": "2022-05-09T00:00:19.127000", "created": "2022-04-09T22:53:32.810000", "tags": [ "malware", "decrypted ssl", "windows nt", "kaht", "ukraine", "april", "malicious", "february", "france unknown", "15.237.136.106", "review-fix-upload-dqpyzu.galia.development.atoptima.com", "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20." ], "references": [ "atoptima.fr\t2022-04-09 02:22 AS16509 AMAZON-02\t France", "15.237.136.106", "review-fix-upload-dqpyzu.galia.development.atoptima.com", "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20.0", "https://hybrid-analysis.com/sample/72aa25a6ea57d8ba7d41308adc5d3df7a487ae6c31171349d17c27f6732fb065/625202f6c0b9240c5f6a7b92" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 334, "hostname": 177, "domain": 71, "FileHash-SHA256": 110, "CVE": 1, "FileHash-MD5": 55, "FileHash-SHA1": 44 }, "indicator_count": 792, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623b76906394e513998559be", "name": "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378", "description": "", "modified": "2022-04-22T00:03:50.614000", "created": "2022-03-23T19:35:44.755000", "tags": [], "references": [ "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 490, "hostname": 185, "FileHash-SHA256": 272, "CIDR": 4, "FileHash-MD5": 5 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231bba93e094ab9c9858a1a", "name": "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T10:27:53.224000", "tags": [], "references": [ "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 460, "hostname": 173, "domain": 32, "FileHash-SHA256": 272, "CIDR": 4, "FileHash-MD5": 5 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6230e0c5997d9783e5d83f74", "name": "www.apple.com:ipad:cellular.%22", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T18:53:57.725000", "tags": [], "references": [ "www.apple.com:ipad:cellular.%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 289, "hostname": 95, "domain": 25, "FileHash-SHA256": 233, "CIDR": 1, "FileHash-MD5": 3 }, "indicator_count": 646, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62276abfaa65cd33f64331f8", "name": "TarrantCounty.com ~ 03.01.2022", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T14:39:59.235000", "tags": [ "march", "lookup go", "rescan add", "verdict report", "de summary", "http", "redirects links", "behaviour", "similar dom", "content api", "value", "search url", "search domain", "scan url", "url search", "domain scan", "url url", "motor vehicle", "aqb1", "eventsevent10", "meta", "show", "download go", "full url", "reverse dns", "resource", "windows nt", "win64", "khtml", "gecko", "response", "main", "milan", "apache", "paris", "accept" ], "references": [ "TarrantCounty3df.pdf", "TarantCounty2df.pdf", "TarrantCounty4df.pdf", "TarrantCounty5df.pdf", "tarrant23df.pdf", "TarrantCounty1df.pdf", "tarrantcounty.com:en:elections:Voter-Information:Voter- Registration.html%22,.pdf", "TarrantCounty6df.pdf", "TarrantCounty7df.pdf", "TarrantCounty10df.pdf", "TarrantCounty9df.pdf", "TarrantCounty17df.pdf", "TarrantCounty15df.pdf", "TarrantCounty12df.pdf", "TarrantCounty14df.pdf", "tarrantcounty8df.pdf", "TarrantCounty18df.pdf", "TarrantCounty19df.pdf", "TarrantCounty21df.pdf", "tarrantcounty22df.pdf", "TarrantCounty20df.pdf", "tarrantcountydf.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4134, "hostname": 1607, "domain": 838, "FileHash-SHA256": 1078, "FileHash-SHA1": 2, "email": 3, "CIDR": 4, "FileHash-MD5": 15 }, "indicator_count": 7681, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "TarrantCounty17df.pdf", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "https://uir.uimserv.net/sid/", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://pagead2.googlesyndication.com/pagead/js/r20220419/r20110914/elements/html/omrhp.js", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "https://www.googletagmanager.com/gtag/js?id=AW-10814683072&l=dataLayer&cx=c", "TarrantCounty3df.pdf", "https://cdn.ionos.com/nk/9c2134ba72b4/6c2bd2fdffdc/launch-67fb473cc73f.min.js", "https://prod.centurylinktechnology.com", "TarrantCounty21df.pdf", "pcup.gov.ph:", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude", "https://unpkg.com/web-vitals@1.0.1/dist/web-vitals.umd.js", "Tipped: A targets AI and other cyber research findings.", "TarrantCounty19df.pdf", "tarrantcountydf.pdf", "oracle com downl # java.pdf", "tarrantcounty22df.pdf", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "https://js.hsleadflows.net/leadflows.js", "TarrantCounty1df.pdf", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "https://www.ionos.com/modules/hosting-common/script/privacy/bundle.js", "https://palapa.c.id\t (c.id)", "TarantCounty2df.pdf", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "TarrantCounty5df.pdf", "voyour-cams.xww.de", "ASP. NET", "https://tr.outbrain.com/cachedClickId?marketerId=001649abe8bf7b4d6841e1cae4cb770f72", "TarrantCounty14df.pdf", "TarrantCounty15df.pdf", "tarrantcounty8df.pdf", "UPX_OEP_place", "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf", "https://feedback.ptv.vic.gov.au/360", "TarrantCounty4df.pdf", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://brand2.centurylinktechnology.com", "www.apple.com:ipad:cellular.%22,.pdf", "https://hybrid-analysis.com/sample/72aa25a6ea57d8ba7d41308adc5d3df7a487ae6c31171349d17c27f6732fb065/625202f6c0b9240c5f6a7b92", "TarrantCounty10df.pdf", "TarrantCounty9df.pdf", "https://www.googletagmanager.com/gtag/js?id=AW-428360528&l=dataLayer&cx=c", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "xfe-URL-1and1.com-stix2-2.1-export.json", "https://www.googletagmanager.com/gtag/js?id=AW-10816288188&l=dataLayer&cx=c", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "www.oracle.com - urlscan.io.pdf", "inst.govelopscold.com", "https://js-na1.hs-scripts.com/8230984.js", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "atoptima.fr\t2022-04-09 02:22 AS16509 AMAZON-02\t France", "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20.0", "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "cedevice.io \u2022 decagonsoftware.com", "TarrantCounty7df.pdf", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "tarrantcounty.com:en:elections:Voter-Information:Voter- Registration.html%22,.pdf", "www.apple.com:airtag:?cid=CDM-USA-DM-P0021742-498177%22, %22request%22:.pdf", "support.apple.com:de-de:HT204247%22,.pdf", "https://cdn.taboola.com/libtrc/unip/1123688/tfa.js", "https://cdn.ionos.de/nk/9c2134ba72b4/6c2bd2fdffdc/0ced1406e60f/RC5068cb5aadbc4ec1a9aa72b8a74193e0-source.min.js", "https://apps.mypurecloud.de/journey/sdk/js/web/v1/ac.js", "TarrantCounty20df.pdf", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "TarrantCounty12df.pdf", "https://www.googletagmanager.com/gtag/js?id=AW-476125975&l=dataLayer&cx=c", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "review-fix-upload-dqpyzu.galia.development.atoptima.com", "tarrant23df.pdf", "https://elegantcosmedampyeah.pages.dev/", "https://mobile-pocket-guide.centurylinktechnology.com", "TarrantCounty18df.pdf", "7box.vip", "https://www.ionos.com/modules/frontend-applications-common/script/components/stacktrace.js", "https://apps.mypurecloud.de/widgets/9.0/cxbus.min.js", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "15.237.136.106", "TarrantCounty6df.pdf", "xfe-URL-Ionos.de-stix2-2.1-export.json", "Yare: compromised_site_redirector_fromcharcode", "Alerts: console_output has_pdb pe_unknown_resource_name", "https://amplify.outbrain.com/cp/obtp.js", "https://brand.centurylinktechnology.com", "https://www.googletagmanager.com/gtag/js?id=AW-10804098076&l=dataLayer&cx=c" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Lokibot", "Pws:win32/axespec.a", "Worm:win32/benjamin", "Uk tv", "Worm:win32/lightmoon.h", "Trojan.tofsee/botx", "Outubro", "Rabu", "Alf:jasyp:trojan:win32/ircbot!atmn", "Roshtyak", "Anda", "Ghost rat", "Vui", "Tente", "Vasaris", "Trackingclient", "Qe", "Srpanj", "Raspberry robin" ], "industries": [ "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "697cdce9ec418c422eee2054", "name": "Device Isolation: Lumen Technologies | Palantir and \u2018Boots on the Ground Operations\u2019", "description": "Device Isolation: Lumen Technologies (formerly CenturyLink) deployed as an admin on iOS devices. Standard factory resets may prove ineffective. Complete hardware \"air-gap\" or clean devices that have never touched your home network may be best option for deeply monitored targets.\n\nSummary of the Campaign:\nThe involvement of Lumen Technologies (as an unwanted admin), Foundry (Palantir) for data mapping, and Mirai Botnet for network disruption represents a \"scorched earth\" approach to digital destruction. Target treated as a criminal through Cellebrite, implicates specific attackers attempted to legalize what was actually a predatory stalking campaign/s.\n\n\nSurveillance Overlap: The use of Lumen Technologies and Palantir, tools allows for real-time tracking of a target's physical location\u2014explains how \u2018boots on the ground\u2019 offenders can stalk , surveillance , confront, assault and engage in various damaging attacks of specific monitored targets.", "modified": "2026-03-01T16:05:57.375000", "created": "2026-01-30T16:31:37.011000", "tags": [ "url https", "url http", "tlsv1", "whitelisted", "united", "read c", "as15169", "stcalifornia", "execution", "dock", "write", "persistence", "malware", "encrypt", "active", "lumen technologies", "number", "error", "regexp", "sxa0", "amptoken", "optout", "retrieving", "notfound", "unknown", "form", "flash", "backdoor", "writeconsolew", "yara detections", "command line", "pdb path", "pe resource", "internalname", "windows command", "A", "aws", "name servers", "url analysis", "passive dns", "urls", "data upload", "extraction", "palantir", "c2", "aerospace", "tracking", "spywatchdog", "palapa-c2", "communications satellite", "amazon", "hughesnet", "icmp traffic", "washington c", "washington ou", "mopr", "mon jul", "local", "dynamic", "apple", "network", "t1057", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1480", "guardrails", "t1566", "present jan", "unknown ns", "ip address", "dnssec", "domain", "dynamic dns", "government", "pcup", "germany unknown", "link", "dns hosting", "cloudns", "cloud dns", "a domains", "ipv4 add", "title", "meta", "class", "servers", "present aug", "aaaa", "present sep", "present nov", "present jul", "present may", "moved", "canada unknown", "begin", "record value", "gmt content", "type", "hostname add", "files", "ascii text", "pattern match", "href", "mitre att", "ck id", "ck matrix", "network traffic", "et info", "general", "path", "click", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "input url", "defense evasion", "france", "ireland", "netherlands", "denmark", "united kingdom", "type indicator", "role title", "added active", "savvis", "centurylinktechnology", "hybrid analysis", "monitoring tools", "monitored target", "triangulation", "worm", "intel", "ms windows", "pe32", "write c", "delete c", "show", "russia as47764", "unix", "lsan jose", "odigicert inc", "markus", "url add", "http", "related nids", "files location", "russia flag", "russia hostname", "russia", "russia unknown", "hosting", "federation flag", "body", "gmt vary", "accept encoding", "gmt cache", "certificate", "pulse submit", "unknown aaaa", "search", "entries", "script domains", "script urls", "pdx cf" ], "references": [ "\u2018Lumen Technologies\u2019 Acting as administrator of a targeted Apple IOS device", "Yare: compromised_site_redirector_fromcharcode", "Alerts: network_icmp nolookup_communication js_eval recon_fingerprint", "Alerts: console_output has_pdb pe_unknown_resource_name", "File Type PEXE - PE32+ executable (console) x86-64, for MS Windows ..", "Tipped: A targets AI and other cyber research findings.", "A \u2018Target\u2019 became a \u2018Target\u2019 vja close association to main Target of predatory retaliation campaign.", "track.spywarewatchdog.org \u2022 https://track.spywarewatchdog.org - monitoring software", "https://palapa.c.id\t (c.id)", "Containers-Pecorino.PalantirGov.com -pecorino.palantirgov.com", "cedevice.io \u2022 decagonsoftware.com", "http://applevless.dns-dynamic.net/\t\u2022 dns-dynamic.net", "http://www.pcup.gov.ph/images/2018/pdf/ComEnBancReso/Commission_Resolution_07s2018.PDF", "pcup.gov.ph:", "http://www.pcup.gov.ph/images/pdf/Contract_of_SecurityServices2013.pdf pcup.gov.ph:", "https://pcup.gov.ph/375 pcup.gov.ph: | https://www.pcup.gov.ph/ pcup.gov.ph:", "https://elegantcosmedampyeah.pages.dev/", "https://www.ptv.vic.gov.au/more/travelling-on-the-network/lets-go/", "inst.govelopscold.com", "https://feedback.ptv.vic.gov.au/360", "nginx-php.7d4jelnf.trdlpbvl.sdp3.sdp.vic.gov.au", "nginx-php.standby.content-premier-vic-gov-au.sdp3.sdp.vic.gov.au", "https://hybrid-analysis.com/sample/a16d11910953b800369dbb667f178b3cc45cb8e3315217c0e6ceac68eeba206d", "https://brand.centurylinktechnology.com", "https://prod.centurylinktechnology.com", "https://brand2.centurylinktechnology.com", "https://mobile-pocket-guide.centurylinktechnology.com", "UPX_OEP_place", "Russia or Muskware? URL http://store.7box.vip/ad/C467F60A1AD6.Jpeg", "ASP. NET", "https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v4.0&appId=705930270206797&autoLogAppEvents=1 Akamai rank:", "7box.vip" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Tofsee/Botx", "display_name": "Trojan.Tofsee/Botx", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn", "target": null }, { "id": "PWS:Win32/Axespec.A", "display_name": "PWS:Win32/Axespec.A", "target": "/malware/PWS:Win32/Axespec.A" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1069.003", "name": "Cloud Groups", "display_name": "T1069.003 - Cloud Groups" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 102, "FileHash-SHA1": 59, "FileHash-SHA256": 1929, "domain": 854, "hostname": 2156, "URL": 4475, "SSLCertFingerprint": 9, "email": 7, "CVE": 1 }, "indicator_count": 9592, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "49 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a0194269f81650babf9b6c", "name": "Raspberry Robin | Hijacker | link: voyour-cams.xww.de | Monitoring", "description": "Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive.\nTo be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.\n\nBy using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.", "modified": "2024-02-10T15:03:45.065000", "created": "2024-01-11T16:37:22.751000", "tags": [ "ssl certificate", "whois record", "contacted", "threat roundup", "historical ssl", "december", "october", "august", "referrer", "execution", "raspberry robin", "ghost rat", "service", "dtrack", "download", "malware", "hijacker", "monitoring", "installer", "masquerading", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "nginx", "parked domain", "parking crew", "malware hosting", "dga parking", "msie", "cmd", "worm", "dga malvertizing" ], "references": [ "voyour-cams.xww.de", "https://otx.alienvault.com/malware/Worm:Win32%2FBenjamin/samples", "https://www.malwarebytes.com/blog/news/2022/10/raspberry-robin-worm-used-as-ransomware-prelude" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LokiBot", "display_name": "LokiBot", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "Roshtyak", "display_name": "Roshtyak", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1052.001", "name": "Exfiltration over USB", "display_name": "T1052.001 - Exfiltration over USB" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 83, "FileHash-SHA256": 3484, "URL": 7778, "domain": 2468, "hostname": 2348, "email": 2, "CVE": 1 }, "indicator_count": 16245, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657080d20f7e10c1e37fcf89", "name": "TarrantCounty.com ~ 03.01.2022", "description": "", "modified": "2023-12-06T14:10:26.301000", "created": "2023-12-06T14:10:26.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1078, "domain": 838, "hostname": 1607, "URL": 4134, "email": 3, "FileHash-SHA1": 2, "CIDR": 4, "FileHash-MD5": 15 }, "indicator_count": 7681, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c231f263ca042121a81827", "name": "oracle is shocking", "description": "", "modified": "2022-08-03T00:05:10.569000", "created": "2022-07-04T00:18:58.267000", "tags": [ "span", "section", "button", "tbody", "script", "path", "java", "archive", "download", "cc02v0", "meta", "installer", "date", "iframe", "contact", "form", "service", "critical", "close", "alpha", "false", "click", "main", "energy", "life", "media", "write", "back", "widget", "tools", "protect", "april", "python", "ukraine", "indonesia", "middle", "facebook", "twitter" ], "references": [ "oracle com downl # java.pdf", "www.oracle.com - urlscan.io.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 956, "FileHash-SHA256": 237, "hostname": 197, "domain": 59, "FileHash-MD5": 2 }, "indicator_count": 1451, "is_author": false, "is_subscribing": null, "subscriber_count": 391, "modified_text": "1355 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6294eb02fc943581d0bf4ef1", "name": "www.apple.com:airtag:?cid=CDM-USA-DM-P0021742-498177%22", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T16:04:18.749000", "tags": [], "references": [ "www.apple.com:airtag:?cid=CDM-USA-DM-P0021742-498177%22, %22request%22:.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 489, "hostname": 80, "domain": 38, "FileHash-SHA256": 518, "CIDR": 2, "FileHash-MD5": 5 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62951232023c3cdc0a0f7a1c", "name": "support.apple.com:de-de:HT204247%22", "description": "", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T18:51:30.784000", "tags": [], "references": [ "support.apple.com:de-de:HT204247%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 423, "hostname": 188, "domain": 33, "FileHash-SHA256": 278, "CIDR": 3, "FileHash-MD5": 4 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261cdbea0bb54792ef9ac53", "name": "1and1.com - malware hosting and creation", "description": "Promise.com, or Promise.js, is a new type of word, and here is the full text of its first-ever translation:-a-word, a-d.", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T21:33:50.899000", "tags": [ "noclickid", "error", "aborted", "xmlhttprequest", "typeof e", "cx bus", "genesys telecom", "labs", "promise", "lnull", "typeof t", "date", "typeof", "typeof define", "installtrigger", "weakset", "sfunction", "uk tv", "regexp", "custom code", "typeerror", "sufeffxa0", "typeof symbol", "azaz09", "library loaded", "page top", "path", "query string", "customevent", "afunction", "string", "pfunction", "mfunction", "dfunction", "march", "typeof o", "null", "stackframe", "object", "function", "array", "definition", "rhino", "factory", "isnumber", "plugin", "chrome pdf", "rejected", "target", "event", "started", "engaged", "trident", "internal", "parseint", "growheight", "cdata", "this", "system", "named", "invalid hex3", "invalid hex6", "uinguserid", "functional", "member", "hnew regexp", "qfunction", "adview", "addbillinginfo", "addtocart", "addtolist", "contact", "download", "install", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "copyright", "closure library", "window", "value", "image", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "hubspot", "captcha", "please", "april", "august", "close", "february", "june", "form", "klik", "click", "next", "blank", "este", "rserver", "mais", "void", "number", "uint8array", "fnumber", "xhfunction", "yhfunction", "aw10804098076", "code", "qe", "aw428360528", "aw10816288188", "aw10814683072" ], "references": [ "xfe-URL-Ionos.de-stix2-2.1-export.json", "xfe-URL-1and1.com-stix2-2.1-export.json", "https://www.googletagmanager.com/gtag/js?id=AW-10814683072&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-10816288188&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-476125975&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-428360528&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=AW-10804098076&l=dataLayer&cx=c", "https://js-na1.hs-scripts.com/8230984.js", "https://js.hsleadflows.net/leadflows.js", "https://cdn.taboola.com/libtrc/unip/1123688/tfa.js", "https://pagead2.googlesyndication.com/pagead/js/r20220419/r20110914/elements/html/omrhp.js", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://amplify.outbrain.com/cp/obtp.js", "https://uir.uimserv.net/sid/", "https://apps.mypurecloud.de/journey/sdk/js/web/v1/ac.js", "https://www.ionos.com/modules/frontend-applications-common/script/components/stacktrace.js", "https://www.ionos.com/modules/hosting-common/script/privacy/bundle.js", "https://cdn.ionos.com/nk/9c2134ba72b4/6c2bd2fdffdc/launch-67fb473cc73f.min.js", "https://cdn.ionos.de/nk/9c2134ba72b4/6c2bd2fdffdc/0ced1406e60f/RC5068cb5aadbc4ec1a9aa72b8a74193e0-source.min.js", "https://unpkg.com/web-vitals@1.0.1/dist/web-vitals.umd.js", "https://apps.mypurecloud.de/widgets/9.0/cxbus.min.js", "https://tr.outbrain.com/cachedClickId?marketerId=001649abe8bf7b4d6841e1cae4cb770f72" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UK TV", "display_name": "UK TV", "target": null }, { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null }, { "id": "Qe", "display_name": "Qe", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "FileHash-SHA256": 402, "hostname": 1610, "domain": 553, "CVE": 1, "FileHash-MD5": 1 }, "indicator_count": 6159, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62520e6c1b128fdbcaa87e4e", "name": "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20.0", "description": "", "modified": "2022-05-09T00:00:19.127000", "created": "2022-04-09T22:53:32.810000", "tags": [ "malware", "decrypted ssl", "windows nt", "kaht", "ukraine", "april", "malicious", "february", "france unknown", "15.237.136.106", "review-fix-upload-dqpyzu.galia.development.atoptima.com", "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20." ], "references": [ "atoptima.fr\t2022-04-09 02:22 AS16509 AMAZON-02\t France", "15.237.136.106", "review-fix-upload-dqpyzu.galia.development.atoptima.com", "http://15.237.136.106/b/ss/vodafonegroupitglobalprod/10/js-2.20.0", "https://hybrid-analysis.com/sample/72aa25a6ea57d8ba7d41308adc5d3df7a487ae6c31171349d17c27f6732fb065/625202f6c0b9240c5f6a7b92" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 334, "hostname": 177, "domain": 71, "FileHash-SHA256": 110, "CVE": 1, "FileHash-MD5": 55, "FileHash-SHA1": 44 }, "indicator_count": 792, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623b76906394e513998559be", "name": "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378", "description": "", "modified": "2022-04-22T00:03:50.614000", "created": "2022-03-23T19:35:44.755000", "tags": [], "references": [ "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 490, "hostname": 185, "FileHash-SHA256": 272, "CIDR": 4, "FileHash-MD5": 5 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231bba93e094ab9c9858a1a", "name": "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T10:27:53.224000", "tags": [], "references": [ "locate.apple.com:in:en:?cid=CDM-IN-DM-P0021378- 483986&cp=em-P0021378-483986&sr=em%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 460, "hostname": 173, "domain": 32, "FileHash-SHA256": 272, "CIDR": 4, "FileHash-MD5": 5 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "devk.de", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "devk.de", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776639593.704668 }