{
  "type": "Domain",
  "indicator": "dns.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/dns.com",
    "alexa": "http://www.alexa.com/siteinfo/dns.com",
    "indicator": "dns.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 104682,
      "indicator": "dns.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 14,
      "pulses": [
        {
          "id": "698e93e1ab02db8c49e8c3ed",
          "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
          "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
          "modified": "2026-05-17T15:52:35.396000",
          "created": "2026-02-13T03:00:49.872000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
            "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 28000,
            "FileHash-SHA256": 48374,
            "FileHash-MD5": 42596,
            "FileHash-SHA1": 23243,
            "hostname": 35654,
            "URL": 75758,
            "SSLCertFingerprint": 30,
            "CVE": 7585,
            "email": 316,
            "FileHash-IMPHASH": 8,
            "CIDR": 26205,
            "JA3": 1,
            "URI": 5,
            "IPv4": 574,
            "Mutex": 1
          },
          "indicator_count": 288350,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 92,
          "modified_text": "14 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f97a905451e3304319988b",
          "name": ".may 4 clone own on may 5",
          "description": "",
          "modified": "2026-05-07T02:57:38.229000",
          "created": "2026-05-05T05:05:20.493000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "69f7fa1a282840a6e0aa370c",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 341,
            "FileHash-SHA1": 368,
            "FileHash-SHA256": 3143,
            "hostname": 2037,
            "IPv4": 186,
            "URL": 3288,
            "CIDR": 12,
            "email": 43,
            "domain": 1645,
            "URI": 1,
            "SSLCertFingerprint": 18,
            "CVE": 1
          },
          "indicator_count": 11083,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "24 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f7fa1a282840a6e0aa370c",
          "name": "May the 4th be with... every destructed file that never died",
          "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.",
          "modified": "2026-05-05T05:04:02.911000",
          "created": "2026-05-04T01:44:57.811000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 341,
            "FileHash-SHA1": 368,
            "FileHash-SHA256": 3142,
            "hostname": 1890,
            "IPv4": 162,
            "URL": 3241,
            "CIDR": 12,
            "email": 37,
            "domain": 1616,
            "URI": 1,
            "SSLCertFingerprint": 18
          },
          "indicator_count": 10828,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e30ffa710fafb6d651ca89",
          "name": "Kelowna detachment - British Columbia by streamminingex",
          "description": "",
          "modified": "2026-04-18T05:46:36.582000",
          "created": "2026-04-18T05:00:42.166000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6570a552ac0b6570454709f7",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 15,
            "URL": 1354,
            "FileHash-MD5": 1308,
            "FileHash-SHA1": 1314,
            "FileHash-SHA256": 4898,
            "hostname": 1401,
            "email": 62,
            "domain": 1239,
            "CIDR": 8
          },
          "indicator_count": 11599,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "43 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69e30ffde212f52470137868",
          "name": "Kelowna detachment - British Columbia by streamminingex",
          "description": "",
          "modified": "2026-04-18T05:46:26.897000",
          "created": "2026-04-18T05:00:45.780000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6570a552ac0b6570454709f7",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 15,
            "URL": 1358,
            "FileHash-MD5": 1308,
            "FileHash-SHA1": 1314,
            "FileHash-SHA256": 4898,
            "hostname": 1405,
            "email": 62,
            "domain": 1242,
            "CIDR": 8
          },
          "indicator_count": 11610,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "43 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64e1d5e06aa6207f78de",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:21.863000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "66 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64eccb5d39a90a3c391e",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:32.565000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 152,
          "modified_text": "66 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6928f8d9e4222a6a219d785e",
          "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
          "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
          "modified": "2025-12-28T00:04:06.179000",
          "created": "2025-11-28T01:20:25.401000",
          "tags": [
            "dynamicloader",
            "json",
            "ascii text",
            "high",
            "data",
            "x90uxa4xf8",
            "cape",
            "stream",
            "guard",
            "write",
            "trojan",
            "redline",
            "malware",
            "push",
            "local",
            "injection_inter_process",
            "recon_fingerprint",
            "persistence_ads",
            "process_creation_suspicious_location",
            "infostealer_browser",
            "infostealer_cookies",
            "stealth_file",
            "cape_detected_threat",
            "antivm_generic_bios",
            "cape_extracted_content",
            "united",
            "mtb jul",
            "a domains",
            "aaaa",
            "443 ma86400",
            "servers",
            "win32upatre jul",
            "virtool",
            "b778b1",
            "div div",
            "d9e4f4",
            "edf2f8",
            "present mar",
            "fastest privacy",
            "first dns",
            "win32",
            "trojandropper",
            "passive dns",
            "mtb nov",
            "ipv4 add",
            "asn as13335",
            "dns resolutions",
            "domain",
            "data upload",
            "extraction",
            "yara",
            "troja yara",
            "trojar data",
            "virto",
            "worn data",
            "included iocs",
            "manually add",
            "resolved ips",
            "ta0002",
            "evasion ta0005",
            "tr shared",
            "modules",
            "files",
            "infor",
            "t1027",
            "process t1057",
            "community score",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "ssl certificate",
            "defense evasion",
            "spawns",
            "flag",
            "name server",
            "date",
            "cloudflare",
            "data protected",
            "misc activity",
            "et info",
            "dns requests",
            "domain address",
            "gmt flag",
            "techtarget",
            "server",
            "et policy",
            "prefetch2",
            "t1179 hooking",
            "access windows",
            "installs",
            "mitre att",
            "ck techniques",
            "click",
            "windir",
            "country",
            "contacted hosts",
            "ip address",
            "process details",
            "contacted",
            "http traffic",
            "suricata alerts",
            "event category",
            "found"
          ],
          "references": [
            "Malware : ClipBanker Entity: Crazy Frost",
            "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
            "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
            "Services : GoogleChromeElevationService = Delete",
            "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
            "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
            "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
            "Yara: TrojanWin32Kredbegg  CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
            "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
            "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
            "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
            "CS IDS: Matches rule (http_inspect) invalid status line",
            "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
            "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
            "http://www.anyxxxtube/"
          ],
          "public": 1,
          "adversary": "Crazy Frost",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
              "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
              "target": null
            },
            {
              "id": "Trojan.Disfa/downloader10",
              "display_name": "Trojan.Disfa/downloader10",
              "target": null
            },
            {
              "id": "Other Malware",
              "display_name": "Other Malware",
              "target": null
            },
            {
              "id": "Trojan:Win32/Zusy",
              "display_name": "Trojan:Win32/Zusy",
              "target": "/malware/Trojan:Win32/Zusy"
            },
            {
              "id": "Rozena",
              "display_name": "Rozena",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1035",
              "name": "Service Execution",
              "display_name": "T1035 - Service Execution"
            },
            {
              "id": "T1043",
              "name": "Commonly Used Port",
              "display_name": "T1043 - Commonly Used Port"
            },
            {
              "id": "T1179",
              "name": "Hooking",
              "display_name": "T1179 - Hooking"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1498",
              "name": "Network Denial of Service",
              "display_name": "T1498 - Network Denial of Service"
            },
            {
              "id": "T1464",
              "name": "Jamming or Denial of Service",
              "display_name": "T1464 - Jamming or Denial of Service"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 295,
            "FileHash-SHA1": 217,
            "FileHash-SHA256": 1887,
            "URL": 3263,
            "domain": 597,
            "hostname": 1085,
            "email": 2,
            "CVE": 1
          },
          "indicator_count": 7347,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "155 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68c4780e758249ca5e4e2345",
          "name": "easydns[.]com - 09.12.25",
          "description": "Just taking a peak into something",
          "modified": "2025-10-12T19:19:29.699000",
          "created": "2025-09-12T19:44:14.645000",
          "tags": [
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "pcap processing",
            "pcap",
            "brand",
            "gecko",
            "win64",
            "khtml",
            "windows nt",
            "microsoft edge",
            "ansi",
            "cookie",
            "date",
            "apache",
            "accept",
            "window",
            "wind",
            "suspicious",
            "mozi",
            "mozilla",
            "comspec",
            "hybrid",
            "model",
            "close",
            "click",
            "hosts",
            "bran",
            "general",
            "path",
            "encrypt",
            "form",
            "iframe",
            "dest",
            "strings",
            "contact",
            "url",
            "scanner",
            "reputation",
            "phishing",
            "wordpress",
            "javascript",
            "google tag",
            "manager",
            "domain",
            "mysql",
            "warning icon",
            "share report",
            "systems",
            "cloudflare",
            "write",
            "beaver",
            "static analyzer",
            "emulation",
            "analyzer",
            "asset search",
            "entity",
            "virus",
            "ransomware",
            "static",
            "indicator of compromise",
            "ioc",
            "extraction",
            "platform",
            "please"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/bae6209a84b8b9558b228097c01111583ce257b69a6b25e19986a0a4d29adda2/68c46ded99414072330569f7",
            "https://urlquery.net/report/647c05f2-4e0d-4b33-8ec7-4c949e928bfb",
            "https://app.threat.zone/submission/bee9384a-885f-4a41-84d1-3fd6a20a6202/url-analysis-report",
            "https://www.criminalip.io/asset/search?query=easydns.com",
            "https://www.virustotal.com/graph/embed/g69ea548b8df6420181ba26257fd94c975c372d52a00741e0962ca0f024740ffa?theme=dark",
            "https://www.filescan.io/uploads/68c46d04dbc6f5a29c427d1b/reports/f599fde4-a148-45cd-a7f8-ecc996938de2/ioc",
            "https://www.virustotal.com/gui/domain/easydns.com/details",
            "https://www.virustotal.com/gui/domain/easydns.com/relations",
            "https://intelx.io/?s=easydns.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Beaver",
              "display_name": "Beaver",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 140,
            "FileHash-SHA1": 133,
            "FileHash-SHA256": 507,
            "SSLCertFingerprint": 16,
            "URL": 271,
            "domain": 68,
            "email": 3,
            "hostname": 273
          },
          "indicator_count": 1411,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 129,
          "modified_text": "231 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67aac6e4b628acffaed3f068",
          "name": "New Batch - Malcerts - 02.10.25 - unenriched",
          "description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
          "modified": "2025-03-16T17:01:06.968000",
          "created": "2025-02-11T03:41:24.585000",
          "tags": [
            "UAlberta",
            "Malcerts",
            "Certificates",
            "Eduroam",
            "Alberta"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
            "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
            "https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
            "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
            "https://tria.ge/250210-3c3c3askfz",
            "https://tria.ge/250210-3nh4kasmes",
            "https://tria.ge/250210-3y8f7sspdy",
            "https://tria.ge/250211-dhpxgswlax",
            "https://tria.ge/250211-dt1hcswme1",
            "https://tria.ge/250211-dx9v7swnbw",
            "Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
            "https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
            "https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
            "c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
            "Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education",
            "Government",
            "Healthcare",
            "Telecommunications",
            "Finance",
            "Agriculture",
            "Hospitality",
            "Media",
            "Retail"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 831,
            "FileHash-SHA1": 801,
            "FileHash-SHA256": 3227,
            "URL": 395,
            "domain": 189,
            "hostname": 798
          },
          "indicator_count": 6241,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 131,
          "modified_text": "441 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570a552ac0b6570454709f7",
          "name": "Kelowna detachment - British Columbia         (Pulse created by ellenmmm)",
          "description": "",
          "modified": "2023-12-06T16:46:09.708000",
          "created": "2023-12-06T16:46:09.708000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 12,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 15,
            "URL": 1349,
            "FileHash-MD5": 1308,
            "FileHash-SHA1": 1314,
            "FileHash-SHA256": 4898,
            "hostname": 1401,
            "email": 62,
            "domain": 1237,
            "CIDR": 8
          },
          "indicator_count": 11592,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709fb3b919327802eaa6c5",
          "name": "Kelowna detachment - British Columbia",
          "description": "",
          "modified": "2023-12-06T16:22:11.032000",
          "created": "2023-12-06T16:22:11.032000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CVE": 15,
            "URL": 1349,
            "FileHash-MD5": 1308,
            "FileHash-SHA1": 1314,
            "FileHash-SHA256": 4898,
            "hostname": 1401,
            "email": 62,
            "domain": 1237,
            "CIDR": 8
          },
          "indicator_count": 11592,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 109,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "64d95fd67f4ea1e4a8cb8d38",
          "name": "Kelowna detachment - British Columbia",
          "description": "https://www.rcmp-grc.gc.ca/detach/en/d/201",
          "modified": "2023-09-21T05:02:23.556000",
          "created": "2023-08-13T22:57:26.810000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "ellenmmm",
            "id": "233693",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 1488,
            "domain": 1323,
            "email": 70,
            "URL": 1453,
            "FileHash-SHA1": 2122,
            "FileHash-SHA256": 9810,
            "FileHash-MD5": 2117,
            "CVE": 15,
            "CIDR": 8
          },
          "indicator_count": 18406,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 87,
          "modified_text": "983 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6507da1c48c6e5e5dd1ce72f",
          "name": "Kelowna detachment - British Columbia         (Pulse created by ellenmmm)",
          "description": "",
          "modified": "2023-09-21T05:02:23.556000",
          "created": "2023-09-18T05:03:24.704000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "64d95fd67f4ea1e4a8cb8d38",
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 1488,
            "domain": 1323,
            "email": 70,
            "URL": 1453,
            "FileHash-SHA1": 2122,
            "FileHash-SHA256": 9810,
            "FileHash-MD5": 2117,
            "CVE": 15,
            "CIDR": 8
          },
          "indicator_count": 18406,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "983 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "https://tria.ge/250210-3nh4kasmes",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "https://tria.ge/250211-dhpxgswlax",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "https://app.threat.zone/submission/bee9384a-885f-4a41-84d1-3fd6a20a6202/url-analysis-report",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
        "Services : GoogleChromeElevationService = Delete",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
        "https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
        "CS IDS: Matches rule (http_inspect) invalid status line",
        "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "https://www.virustotal.com/graph/embed/g69ea548b8df6420181ba26257fd94c975c372d52a00741e0962ca0f024740ffa?theme=dark",
        "https://www.virustotal.com/gui/domain/easydns.com/relations",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
        "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
        "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
        "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "https://tria.ge/250210-3y8f7sspdy",
        "https://intelx.io/?s=easydns.com",
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "http://www.anyxxxtube/",
        "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
        "https://tria.ge/250210-3c3c3askfz",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
        "https://www.criminalip.io/asset/search?query=easydns.com",
        "https://www.filescan.io/uploads/68c46d04dbc6f5a29c427d1b/reports/f599fde4-a148-45cd-a7f8-ecc996938de2/ioc",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "https://hybrid-analysis.com/sample/bae6209a84b8b9558b228097c01111583ce257b69a6b25e19986a0a4d29adda2/68c46ded99414072330569f7",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "https://urlquery.net/report/647c05f2-4e0d-4b33-8ec7-4c949e928bfb",
        "Malware : ClipBanker Entity: Crazy Frost",
        "Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
        "https://www.virustotal.com/gui/domain/easydns.com/details",
        "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
        "https://tria.ge/250211-dx9v7swnbw",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "Yara: TrojanWin32Kredbegg  CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
        "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
        "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
        "https://tria.ge/250211-dt1hcswme1",
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Crazy Frost"
          ],
          "malware_families": [
            "Alf:heraklezeval:trojan:win32/clipbanker",
            "Trojan:win32/zusy",
            "Other malware",
            "Trojan.disfa/downloader10",
            "Rozena",
            "Beaver"
          ],
          "industries": [
            "Government",
            "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
            "Healthcare",
            "Media",
            "Retail",
            "Telecommunications",
            "Education",
            "Agriculture",
            "Hospitality",
            "Finance"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 14,
  "pulses": [
    {
      "id": "698e93e1ab02db8c49e8c3ed",
      "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
      "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
      "modified": "2026-05-17T15:52:35.396000",
      "created": "2026-02-13T03:00:49.872000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 28000,
        "FileHash-SHA256": 48374,
        "FileHash-MD5": 42596,
        "FileHash-SHA1": 23243,
        "hostname": 35654,
        "URL": 75758,
        "SSLCertFingerprint": 30,
        "CVE": 7585,
        "email": 316,
        "FileHash-IMPHASH": 8,
        "CIDR": 26205,
        "JA3": 1,
        "URI": 5,
        "IPv4": 574,
        "Mutex": 1
      },
      "indicator_count": 288350,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 92,
      "modified_text": "14 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f97a905451e3304319988b",
      "name": ".may 4 clone own on may 5",
      "description": "",
      "modified": "2026-05-07T02:57:38.229000",
      "created": "2026-05-05T05:05:20.493000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": "69f7fa1a282840a6e0aa370c",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 341,
        "FileHash-SHA1": 368,
        "FileHash-SHA256": 3143,
        "hostname": 2037,
        "IPv4": 186,
        "URL": 3288,
        "CIDR": 12,
        "email": 43,
        "domain": 1645,
        "URI": 1,
        "SSLCertFingerprint": 18,
        "CVE": 1
      },
      "indicator_count": 11083,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "24 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f7fa1a282840a6e0aa370c",
      "name": "May the 4th be with... every destructed file that never died",
      "description": "[undreds of thousands of people have been signing a petition calling for the removal of the president, Barack Obama, from the White House and the UK's prime minister, Theresa May, to be remove] The wording here. Its also May3rd not May 4th.",
      "modified": "2026-05-05T05:04:02.911000",
      "created": "2026-05-04T01:44:57.811000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 341,
        "FileHash-SHA1": 368,
        "FileHash-SHA256": 3142,
        "hostname": 1890,
        "IPv4": 162,
        "URL": 3241,
        "CIDR": 12,
        "email": 37,
        "domain": 1616,
        "URI": 1,
        "SSLCertFingerprint": 18
      },
      "indicator_count": 10828,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "26 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69e30ffa710fafb6d651ca89",
      "name": "Kelowna detachment - British Columbia by streamminingex",
      "description": "",
      "modified": "2026-04-18T05:46:36.582000",
      "created": "2026-04-18T05:00:42.166000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": "6570a552ac0b6570454709f7",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CVE": 15,
        "URL": 1354,
        "FileHash-MD5": 1308,
        "FileHash-SHA1": 1314,
        "FileHash-SHA256": 4898,
        "hostname": 1401,
        "email": 62,
        "domain": 1239,
        "CIDR": 8
      },
      "indicator_count": 11599,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "43 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69e30ffde212f52470137868",
      "name": "Kelowna detachment - British Columbia by streamminingex",
      "description": "",
      "modified": "2026-04-18T05:46:26.897000",
      "created": "2026-04-18T05:00:45.780000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": "6570a552ac0b6570454709f7",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CVE": 15,
        "URL": 1358,
        "FileHash-MD5": 1308,
        "FileHash-SHA1": 1314,
        "FileHash-SHA256": 4898,
        "hostname": 1405,
        "email": 62,
        "domain": 1242,
        "CIDR": 8
      },
      "indicator_count": 11610,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "43 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf64e1d5e06aa6207f78de",
      "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
      "description": "",
      "modified": "2026-03-27T00:30:39.055000",
      "created": "2026-03-22T03:41:21.863000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": "698e93e1ab02db8c49e8c3ed",
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 27572,
        "FileHash-SHA256": 46076,
        "FileHash-MD5": 42177,
        "FileHash-SHA1": 22874,
        "hostname": 33438,
        "URL": 74810,
        "SSLCertFingerprint": 21,
        "CVE": 7579,
        "email": 297,
        "FileHash-IMPHASH": 8,
        "CIDR": 26203,
        "JA3": 1
      },
      "indicator_count": 281056,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 149,
      "modified_text": "66 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69bf64eccb5d39a90a3c391e",
      "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
      "description": "",
      "modified": "2026-03-27T00:30:39.055000",
      "created": "2026-03-22T03:41:32.565000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": "698e93e1ab02db8c49e8c3ed",
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 27572,
        "FileHash-SHA256": 46076,
        "FileHash-MD5": 42177,
        "FileHash-SHA1": 22874,
        "hostname": 33438,
        "URL": 74810,
        "SSLCertFingerprint": 21,
        "CVE": 7579,
        "email": 297,
        "FileHash-IMPHASH": 8,
        "CIDR": 26203,
        "JA3": 1
      },
      "indicator_count": 281056,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 152,
      "modified_text": "66 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6928f8d9e4222a6a219d785e",
      "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
      "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
      "modified": "2025-12-28T00:04:06.179000",
      "created": "2025-11-28T01:20:25.401000",
      "tags": [
        "dynamicloader",
        "json",
        "ascii text",
        "high",
        "data",
        "x90uxa4xf8",
        "cape",
        "stream",
        "guard",
        "write",
        "trojan",
        "redline",
        "malware",
        "push",
        "local",
        "injection_inter_process",
        "recon_fingerprint",
        "persistence_ads",
        "process_creation_suspicious_location",
        "infostealer_browser",
        "infostealer_cookies",
        "stealth_file",
        "cape_detected_threat",
        "antivm_generic_bios",
        "cape_extracted_content",
        "united",
        "mtb jul",
        "a domains",
        "aaaa",
        "443 ma86400",
        "servers",
        "win32upatre jul",
        "virtool",
        "b778b1",
        "div div",
        "d9e4f4",
        "edf2f8",
        "present mar",
        "fastest privacy",
        "first dns",
        "win32",
        "trojandropper",
        "passive dns",
        "mtb nov",
        "ipv4 add",
        "asn as13335",
        "dns resolutions",
        "domain",
        "data upload",
        "extraction",
        "yara",
        "troja yara",
        "trojar data",
        "virto",
        "worn data",
        "included iocs",
        "manually add",
        "resolved ips",
        "ta0002",
        "evasion ta0005",
        "tr shared",
        "modules",
        "files",
        "infor",
        "t1027",
        "process t1057",
        "community score",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "ssl certificate",
        "defense evasion",
        "spawns",
        "flag",
        "name server",
        "date",
        "cloudflare",
        "data protected",
        "misc activity",
        "et info",
        "dns requests",
        "domain address",
        "gmt flag",
        "techtarget",
        "server",
        "et policy",
        "prefetch2",
        "t1179 hooking",
        "access windows",
        "installs",
        "mitre att",
        "ck techniques",
        "click",
        "windir",
        "country",
        "contacted hosts",
        "ip address",
        "process details",
        "contacted",
        "http traffic",
        "suricata alerts",
        "event category",
        "found"
      ],
      "references": [
        "Malware : ClipBanker Entity: Crazy Frost",
        "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
        "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
        "Services : GoogleChromeElevationService = Delete",
        "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
        "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
        "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
        "Yara: TrojanWin32Kredbegg  CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
        "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
        "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
        "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
        "CS IDS: Matches rule (http_inspect) invalid status line",
        "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
        "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
        "http://www.anyxxxtube/"
      ],
      "public": 1,
      "adversary": "Crazy Frost",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
          "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
          "target": null
        },
        {
          "id": "Trojan.Disfa/downloader10",
          "display_name": "Trojan.Disfa/downloader10",
          "target": null
        },
        {
          "id": "Other Malware",
          "display_name": "Other Malware",
          "target": null
        },
        {
          "id": "Trojan:Win32/Zusy",
          "display_name": "Trojan:Win32/Zusy",
          "target": "/malware/Trojan:Win32/Zusy"
        },
        {
          "id": "Rozena",
          "display_name": "Rozena",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1035",
          "name": "Service Execution",
          "display_name": "T1035 - Service Execution"
        },
        {
          "id": "T1043",
          "name": "Commonly Used Port",
          "display_name": "T1043 - Commonly Used Port"
        },
        {
          "id": "T1179",
          "name": "Hooking",
          "display_name": "T1179 - Hooking"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        },
        {
          "id": "T1498",
          "name": "Network Denial of Service",
          "display_name": "T1498 - Network Denial of Service"
        },
        {
          "id": "T1464",
          "name": "Jamming or Denial of Service",
          "display_name": "T1464 - Jamming or Denial of Service"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 11,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 295,
        "FileHash-SHA1": 217,
        "FileHash-SHA256": 1887,
        "URL": 3263,
        "domain": 597,
        "hostname": 1085,
        "email": 2,
        "CVE": 1
      },
      "indicator_count": 7347,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "155 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68c4780e758249ca5e4e2345",
      "name": "easydns[.]com - 09.12.25",
      "description": "Just taking a peak into something",
      "modified": "2025-10-12T19:19:29.699000",
      "created": "2025-09-12T19:44:14.645000",
      "tags": [
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "pcap processing",
        "pcap",
        "brand",
        "gecko",
        "win64",
        "khtml",
        "windows nt",
        "microsoft edge",
        "ansi",
        "cookie",
        "date",
        "apache",
        "accept",
        "window",
        "wind",
        "suspicious",
        "mozi",
        "mozilla",
        "comspec",
        "hybrid",
        "model",
        "close",
        "click",
        "hosts",
        "bran",
        "general",
        "path",
        "encrypt",
        "form",
        "iframe",
        "dest",
        "strings",
        "contact",
        "url",
        "scanner",
        "reputation",
        "phishing",
        "wordpress",
        "javascript",
        "google tag",
        "manager",
        "domain",
        "mysql",
        "warning icon",
        "share report",
        "systems",
        "cloudflare",
        "write",
        "beaver",
        "static analyzer",
        "emulation",
        "analyzer",
        "asset search",
        "entity",
        "virus",
        "ransomware",
        "static",
        "indicator of compromise",
        "ioc",
        "extraction",
        "platform",
        "please"
      ],
      "references": [
        "https://hybrid-analysis.com/sample/bae6209a84b8b9558b228097c01111583ce257b69a6b25e19986a0a4d29adda2/68c46ded99414072330569f7",
        "https://urlquery.net/report/647c05f2-4e0d-4b33-8ec7-4c949e928bfb",
        "https://app.threat.zone/submission/bee9384a-885f-4a41-84d1-3fd6a20a6202/url-analysis-report",
        "https://www.criminalip.io/asset/search?query=easydns.com",
        "https://www.virustotal.com/graph/embed/g69ea548b8df6420181ba26257fd94c975c372d52a00741e0962ca0f024740ffa?theme=dark",
        "https://www.filescan.io/uploads/68c46d04dbc6f5a29c427d1b/reports/f599fde4-a148-45cd-a7f8-ecc996938de2/ioc",
        "https://www.virustotal.com/gui/domain/easydns.com/details",
        "https://www.virustotal.com/gui/domain/easydns.com/relations",
        "https://intelx.io/?s=easydns.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Beaver",
          "display_name": "Beaver",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1041",
          "name": "Exfiltration Over C2 Channel",
          "display_name": "T1041 - Exfiltration Over C2 Channel"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 10,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 140,
        "FileHash-SHA1": 133,
        "FileHash-SHA256": 507,
        "SSLCertFingerprint": 16,
        "URL": 271,
        "domain": 68,
        "email": 3,
        "hostname": 273
      },
      "indicator_count": 1411,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 129,
      "modified_text": "231 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "67aac6e4b628acffaed3f068",
      "name": "New Batch - Malcerts - 02.10.25 - unenriched",
      "description": "Here is the full text of the text that was found on the website of Mozilla, following an investigation by the security firm Virustotal and the UK's Office of National Statistics (ONS).. [autofilled].\n\nMore Malcerts from Sample Device deployed at several sites in YEG - Canada. Related to pulse - Thor Scan Lite Linux\nNot enriched on import, but did include links to VT entries as IOCs (those will be false positives - but easy access). \nFolder name: Mozilla Located @ /usr/share/ca-certificates",
      "modified": "2025-03-16T17:01:06.968000",
      "created": "2025-02-11T03:41:24.585000",
      "tags": [
        "UAlberta",
        "Malcerts",
        "Certificates",
        "Eduroam",
        "Alberta"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/iocs",
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/summary",
        "https://hybrid-analysis.com/file-collection/67aa8951a3fc5708a905306a",
        "https://www.virustotal.com/gui/collection/207ce29e0defa958ed9ce12667ce39b491e3e8d1f0a345b3c6b50992c9879b5c/community",
        "https://tria.ge/250210-3c3c3askfz",
        "https://tria.ge/250210-3nh4kasmes",
        "https://tria.ge/250210-3y8f7sspdy",
        "https://tria.ge/250211-dhpxgswlax",
        "https://tria.ge/250211-dt1hcswme1",
        "https://tria.ge/250211-dx9v7swnbw",
        "Zipped IOC: c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "https://www.virustotal.com/graph/embed/g4d7797bcffdd450281d4012ac3a0a5ee3fafe8b4f5964c18b4e0332306cb367b?theme=dark",
        "https://tip.neiki.dev/file/c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "c85a87adee4c099081c0be6a69d7468280f4d289bde882c66af86d023d32288a",
        "Cert[.]pl MLDB: 1da23fc67a5f101321e39d04e76dcaa7"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education",
        "Government",
        "Healthcare",
        "Telecommunications",
        "Finance",
        "Agriculture",
        "Hospitality",
        "Media",
        "Retail"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 13,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 831,
        "FileHash-SHA1": 801,
        "FileHash-SHA256": 3227,
        "URL": 395,
        "domain": 189,
        "hostname": 798
      },
      "indicator_count": 6241,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 131,
      "modified_text": "441 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "dns.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "dns.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780282330.9705992
}