{
"type": "Domain",
"indicator": "docs.tw",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/docs.tw",
"alexa": "http://www.alexa.com/siteinfo/docs.tw",
"indicator": "docs.tw",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3467306742,
"indicator": "docs.tw",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "125 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "140 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "153 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "192 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "192 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d3caa9524bb6b5460615f3",
"name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms",
"description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github",
"modified": "2025-10-24T10:01:25.310000",
"created": "2025-09-24T10:40:40.987000",
"tags": [
"text drag",
"browse to",
"select file",
"or drop",
"yara detections",
"runlevel",
"av detections",
"ids detections",
"alerts",
"analysis date",
"inject",
"stncphpphp more",
"virustotal api",
"comments",
"related tags",
"passive dns",
"republic",
"ipv4 add",
"location korea",
"korea",
"asn as9318",
"dns resolutions",
"pulses otx",
"close",
"dynamicloader",
"backdoor",
"tgt session",
"reads",
"dynamic",
"write",
"chopper",
"pho exploit",
"backdoor",
"fireeye",
"low risk",
"drop",
"create snapshot",
"hangover_appinbot",
"kns dropper",
"self",
"md5 sha256",
"google safe",
"browsing",
"server response",
"response code",
"vary",
"mimikatz",
"silence malware",
"trojanagent",
"legacy",
"password",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"initial access",
"defense evasion",
"spawns",
"copy md5",
"copy sha1",
"copy sha256",
"selection",
"ascii text",
"crlf line",
"windir",
"openurl c",
"appearance code",
"password",
"urlhttps",
"username",
"flag",
"united",
"markmonitor",
"github",
"server",
"date",
"click",
"apt 1",
"high",
"read c",
"search",
"medium",
"show",
"windows",
"cmd c",
"ms windows",
"next",
"copy",
"ver",
"businesseconomy"
],
"references": [
"Files",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Ireland"
],
"malware_families": [
{
"id": "Php.Exploit.C99-27",
"display_name": "Php.Exploit.C99-27",
"target": null
},
{
"id": "Backdoor:ASP/Chopper.F!dha",
"display_name": "Backdoor:ASP/Chopper.F!dha",
"target": "/malware/Backdoor:ASP/Chopper.F!dha"
},
{
"id": "Legacy.Trojan.Agent-37025",
"display_name": "Legacy.Trojan.Agent-37025",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
}
],
"attack_ids": [
{
"id": "T1110.001",
"name": "Password Guessing",
"display_name": "T1110.001 - Password Guessing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1459",
"name": "Device Unlock Code Guessing or Brute Force",
"display_name": "T1459 - Device Unlock Code Guessing or Brute Force"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 87,
"FileHash-SHA1": 84,
"FileHash-SHA256": 1049,
"URL": 1688,
"hostname": 544,
"email": 5,
"domain": 292,
"CVE": 2
},
"indicator_count": 3751,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "221 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d37e35f99d852d38beb769",
"name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s",
"description": "#attack? #honeypot?",
"modified": "2025-10-24T04:02:54.218000",
"created": "2025-09-24T05:14:28.101000",
"tags": [
"x00x00n",
"memcommit",
"regopenkeyexw",
"regsz",
"else",
"ipnnoysrdi tr",
"writeconsolew",
"cryptexportkey",
"invalid pointer",
"x1ex00x00n",
"redline stealer",
"service",
"powershell",
"tools",
"persistence",
"execution",
"dock",
"write",
"updater",
"malware",
"passive dns",
"urls",
"url add",
"ip address",
"related nids",
"files location",
"hong kong",
"united",
"present jul",
"present dec",
"search",
"present may",
"a domains",
"name servers",
"unknown aaaa",
"trojan",
"present jan",
"present sep",
"moved",
"title",
"span td",
"td td",
"tr tr",
"a li",
"ipv4 internet",
"span",
"meta",
"gmt content",
"ipv4 add",
"reverse dns",
"trojanx",
"location hong kong",
"software",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"development att",
"ascii text",
"pattern match",
"mitre att",
"ck matrix",
"sha1",
"odigicert inc",
"network traffic",
"general",
"local",
"path",
"encrypt",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"size",
"crlf line",
"urlhttps",
"extracted files",
"acquires",
"networking",
"readiness"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 150,
"FileHash-SHA1": 148,
"FileHash-SHA256": 3059,
"domain": 1277,
"URL": 4166,
"hostname": 1251,
"SSLCertFingerprint": 10,
"email": 1
},
"indicator_count": 10062,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "221 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68abf66e97031d0ff0c04fed",
"name": "Packed sentient.industries links to a targets business website",
"description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.",
"modified": "2025-09-24T04:04:05.604000",
"created": "2025-08-25T05:36:46.327000",
"tags": [
"moved",
"body",
"x cache",
"cloudfront x",
"cph50 c2",
"certificate",
"record value",
"title",
"h1 center",
"server",
"redacted for",
"servers",
"name redacted",
"for privacy",
"name servers",
"org data",
"privacy city",
"privacy country",
"ca creation",
"passive dns",
"urls",
"files",
"ip address",
"asn as57033",
"less whois",
"registrar",
"tucows domains",
"key identifier",
"data",
"v3 serial",
"number",
"cat ozerossl",
"cnzerossl ecc",
"domain secure",
"site ca",
"validity",
"subject public",
"extraction",
"data upload",
"extra data",
"include review",
"find",
"failed",
"typ no",
"ms windows",
"intel",
"pe32",
"united",
"search",
"as16509",
"from win32bios",
"show",
"high",
"medium",
"delphi",
"copy",
"write",
"launcher",
"next",
"present aug",
"present jul",
"lowfi",
"win32",
"a div",
"div div",
"learn xml",
"babylon",
"win64",
"trojan",
"colors",
"python",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"et info",
"tls handshake",
"bad traffic",
"failure",
"date",
"august",
"hybrid",
"general",
"path",
"starfield",
"click",
"strings",
"se bethseda",
"n bethseda",
"n data",
"error",
"date checked",
"url hostname",
"server response",
"google safe",
"results aug",
"read c",
"tlsv1",
"port",
"destination",
"module load",
"execution",
"dock",
"persistence",
"malware",
"unknown",
"cname",
"aaaa",
"creation date",
"showing",
"domain",
"dga domains",
"palantirfoundry",
"foundry",
"status",
"unknown ns",
"g2 tls",
"rsa sha256",
"italy unknown",
"mtb may",
"trojandropper",
"invalid url",
"next associated",
"ddos",
"body html",
"hacktool",
"ipv4",
"url analysis",
"ukraine",
"encrypt",
"rl add",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"present jun",
"entries",
"title error",
"all ipv4",
"reverse dns",
"yara detections",
"top source",
"top destination",
"source source",
"sha256 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"canada unknown",
"content type",
"javascript src",
"script script",
"x powered",
"ipv4 add",
"pulse submit",
"submit url",
"analysis",
"url add",
"related nids",
"files location",
"canada flag",
"canada hostname",
"unknown aaaa",
"ascii text",
"user agent",
"powershell",
"agent",
"czechia unknown",
"domain add",
"dynamicloader",
"hostname add",
"pentagon",
"defense"
],
"references": [
"sentient.industries affects independent artists. Affects several others.",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"(Can't access file- Malware infection files)",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"Remotewd.com devices",
"If you find anything interesting please research it."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "nUFS_inno",
"display_name": "nUFS_inno",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious",
"display_name": "#Lowfi:HSTR:MSIL/Malicious",
"target": null
},
{
"id": "ALF:JASYP:PUA:Win32/Bibado",
"display_name": "ALF:JASYP:PUA:Win32/Bibado",
"target": null
},
{
"id": "Trojan:Win32/Toga",
"display_name": "Trojan:Win32/Toga",
"target": "/malware/Trojan:Win32/Toga"
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Custom Malware",
"display_name": "Custom Malware",
"target": null
},
{
"id": "#LowFiEnableDTContinueAfterUnpacking",
"display_name": "#LowFiEnableDTContinueAfterUnpacking",
"target": null
},
{
"id": "Win32:Downloader-GJK\\ [Trj]",
"display_name": "Win32:Downloader-GJK\\ [Trj]",
"target": null
},
{
"id": "Win.Downloader.109205-1",
"display_name": "Win.Downloader.109205-1",
"target": null
},
{
"id": "Win.Trojan.Jorik-149",
"display_name": "Win.Trojan.Jorik-149",
"target": null
},
{
"id": "#LowFiDetectsVmWare",
"display_name": "#LowFiDetectsVmWare",
"target": null
},
{
"id": "Win.Trojan.Jorik-130",
"display_name": "Win.Trojan.Jorik-130",
"target": null
},
{
"id": "Win.Trojan.Fakecodecs-119",
"display_name": "Win.Trojan.Fakecodecs-119",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Bulz-9860169-0",
"display_name": "Win.Trojan.Bulz-9860169-0",
"target": null
},
{
"id": "Win.Malware.Midie-6847892-0",
"display_name": "Win.Malware.Midie-6847892-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Muldrop.V!MTB",
"display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
"target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
},
{
"id": "Win.Packed.Razy-9785185-0",
"display_name": "Win.Packed.Razy-9785185-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "PWS",
"display_name": "PWS",
"target": null
},
{
"id": "DDOS:Win32/Stormser.A",
"display_name": "DDOS:Win32/Stormser.A",
"target": "/malware/DDOS:Win32/Stormser.A"
},
{
"id": "ALF:HSTR:DotNET",
"display_name": "ALF:HSTR:DotNET",
"target": null
},
{
"id": "DotNET",
"display_name": "DotNET",
"target": null
},
{
"id": "Script Exploit",
"display_name": "Script Exploit",
"target": null
},
{
"id": "HackTool:Win32/AutoKMS",
"display_name": "HackTool:Win32/AutoKMS",
"target": "/malware/HackTool:Win32/AutoKMS"
},
{
"id": "Xanfpezes.A",
"display_name": "Xanfpezes.A",
"target": null
},
{
"id": "Trojan:Win32/Gandcrab",
"display_name": "Trojan:Win32/Gandcrab",
"target": "/malware/Trojan:Win32/Gandcrab"
},
{
"id": "Win.Trojan.Generic-9862772-0",
"display_name": "Win.Trojan.Generic-9862772-0",
"target": null
},
{
"id": "Trojan:Win32/Zbot.SIBL!MTB",
"display_name": "Trojan:Win32/Zbot.SIBL!MTB",
"target": "/malware/Trojan:Win32/Zbot.SIBL!MTB"
},
{
"id": "Win32/Nemucod",
"display_name": "Win32/Nemucod",
"target": null
},
{
"id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn",
"target": null
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "TrojanDropper:Win32/Muldrop",
"display_name": "TrojanDropper:Win32/Muldrop",
"target": "/malware/TrojanDropper:Win32/Muldrop"
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47",
"target": null
},
{
"id": "Win.Malware.Kolab-9885903-0",
"display_name": "Win.Malware.Kolab-9885903-0",
"target": null
},
{
"id": "Win.Malware (30)",
"display_name": "Win.Malware (30)",
"target": null
},
{
"id": "Ransom",
"display_name": "Ransom",
"target": null
},
{
"id": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption",
"target": null
},
{
"id": "E5",
"display_name": "E5",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003.008",
"name": "/etc/passwd and /etc/shadow",
"display_name": "T1003.008 - /etc/passwd and /etc/shadow"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 40,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 6232,
"URL": 24908,
"hostname": 7993,
"FileHash-SHA256": 11128,
"email": 6,
"FileHash-MD5": 1054,
"FileHash-SHA1": 932,
"SSLCertFingerprint": 14,
"CIDR": 3,
"CVE": 3
},
"indicator_count": 52273,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 152,
"modified_text": "251 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "685186035e5fb63846d29e45",
"name": "Regarding Minority Report 2.0 | Aggresive Remote device tracking (multiple) | Network Rat",
"description": "Abuse.\nWhy is so much of this in plain sight? .\nMalicious tactics abused by preemptive policing recently implemented by Tech Bros under current Trump administration.\nThee governing Cyber Defense / AI / Data collection firm. | foundry2-lbl.dvr.dn2.n-helix.com | \nhttp://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://foundry2-lbl.dvr.dn2.n-helix.com |\nhttps://nl.cyberriskalliance.com/assets/icons/twitter.png |\nhttps://axis.snxd.com/track/0\n| track.getbuilt.com | \nRelates to Denver female \u2018allegedly\u2019 injured \u2018in PT.\nA malicious prosecution case against alleged victim after a Detective brought \u2018MTI\u2019 case to controlled Denver DA was dismissed by judge. Injured victim paid a pathetic settlement; especially considering the seriousness of the response of the government. \nThis type\nof tracking silencing is critically dangerous. \nHosanna make no haste to rescue all\nof victims of civilian & victim targeting.\n*Crowdsourced",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:13:07.233000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 48,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "320 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "685186983a4dd00c2b45b255",
"name": "Source:\thttps://cloud.samsara.com/o/79639/flee",
"description": "",
"modified": "2025-07-17T14:01:34.245000",
"created": "2025-06-17T15:15:36.505000",
"tags": [
"body",
"cps https",
"location",
"urls server",
"cloudfront",
"united",
"unknown aaaa",
"search",
"digital press",
"moved",
"digital culture",
"ip address",
"creation date",
"record value",
"entries",
"date",
"meta",
"urls",
"http",
"passive dns",
"unique",
"pulse pulses",
"related nids",
"files location",
"flag united",
"showing",
"rich content",
"system",
"cdn amazon",
"amazons3 tls",
"certificate",
"redirects",
"ua9385760744",
"utc na",
"utc google",
"tag manager",
"gk4vnlmd3b9",
"server",
"amazon",
"net1832001",
"net18160001",
"address range",
"cidr",
"network name",
"allocation type",
"whois server",
"entity amazon4",
"handle",
"present mar",
"present feb",
"unknown cname",
"urls show",
"date checked",
"url hostname",
"server response",
"aaaa"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "685186035e5fb63846d29e45",
"export_count": 47,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2075,
"URL": 5471,
"hostname": 1531,
"domain": 1013,
"FileHash-MD5": 55,
"FileHash-SHA1": 53,
"CVE": 1,
"SSLCertFingerprint": 1,
"email": 1,
"CIDR": 2
},
"indicator_count": 10203,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "320 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68743733a69ce827f6156f5c",
"name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy",
"description": "",
"modified": "2025-07-13T22:46:11.685000",
"created": "2025-07-13T22:46:11.685000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 21,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 147,
"modified_text": "323 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "684a3719a2708183b1b16d00",
"name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)",
"description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set",
"modified": "2025-07-12T01:02:11.925000",
"created": "2025-06-12T02:10:33.839000",
"tags": [
"gtmkvjvztk",
"open threat",
"learn",
"levelblue",
"exchange meta",
"tags twitter",
"alienvault",
"script tags",
"iframe tags",
"google tag",
"html internet",
"html document",
"ascii text",
"ta0004 defense",
"evasion ta0005",
"command",
"control ta0011",
"number",
"cnmicrosoft ecc",
"update secure",
"server ca",
"cus subject",
"stwa lredmond",
"omicrosoft c",
"resolved ips",
"get http",
"dns resolutions",
"request",
"response",
"windows nt",
"win64",
"khtml",
"gecko",
"defense evasion",
"ta0009 command",
"impact ta0040",
"catalog tree",
"analysis ob0001",
"analysis ob0002",
"ob0007 impact",
"ob0012 file",
"system oc0001",
"process oc0003",
"data oc0004",
"oc0008",
"get https",
"vis1",
"oid2",
"post https",
"cjutxg",
"base64uidenc",
"error https"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 162,
"FileHash-SHA1": 28,
"FileHash-SHA256": 2459,
"domain": 889,
"hostname": 1217,
"URL": 4326,
"FilePath": 1
},
"indicator_count": 9082,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "325 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6802db5065a2d5648af92de3",
"name": "Pegasus Spyware",
"description": "If you see one of these IP addresses on your Android device, know this: the government is spying on you. It is recommended to perform a clean install of the latest version of Android, without Google services and with a proper firewall. Don't forget to disable RCS to decrease the attack surface.",
"modified": "2025-05-20T10:00:22.858000",
"created": "2025-04-18T23:08:00.201000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "esjsonexe",
"id": "320409",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 255,
"hostname": 318,
"URL": 762,
"FileHash-SHA256": 288
},
"indicator_count": 1623,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 18,
"modified_text": "378 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "674248a40f08120e523708eb",
"name": "cqbpy.nakula.fun (enriched)",
"description": "",
"modified": "2024-12-23T21:01:08.932000",
"created": "2024-11-23T21:27:00.332000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 60,
"hostname": 383,
"domain": 63,
"URL": 487
},
"indicator_count": 997,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 184,
"modified_text": "525 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67264874826a7c8efb017e83",
"name": "unfamiiiiardates (enriched)",
"description": "",
"modified": "2024-12-02T15:01:26.132000",
"created": "2024-11-02T15:42:44.989000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 94,
"hostname": 67,
"domain": 70,
"URL": 212
},
"indicator_count": 447,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 184,
"modified_text": "546 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6523344e4adc85389899504c",
"name": "Unsupported IE 404 account running BotNet Command & Control [by OctoSeek]",
"description": "",
"modified": "2024-10-13T03:00:28.081000",
"created": "2023-10-08T22:59:26.040000",
"tags": [
"united",
"contacted urls",
"whois record",
"contacted",
"malicious site",
"malware",
"phishing site",
"anonymizer",
"heur",
"control server",
"facebook",
"cobalt strike",
"execution",
"installcore",
"phishing",
"service",
"core",
"metro",
"icmp",
"hacktool",
"download",
"relic",
"monitoring",
"installer",
"steam",
"bank",
"dnspionage",
"crack",
"unsafe",
"ramnit",
"emotet",
"malware site",
"proxy",
"exploit",
"fakealert",
"team",
"redline stealer",
"laplasclipper",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"alexa",
"downloader",
"opencandy",
"generic",
"presenoker",
"maltiverse",
"trojanspy",
"date",
"unknown",
"windir",
"markmonitor",
"name server",
"av detection",
"september",
"default browser",
"guest system",
"hybrid",
"general",
"click",
"strings",
"class",
"critical",
"blacklist",
"union",
"Embarcadero Delphi",
"whois whois",
"referrer",
"ssl certificate",
"communicating",
"resolutions",
"parent parent",
"dropped",
"stealer",
"banker",
"keylogger",
"attack",
"apple",
"detection list",
"ip address",
"netsky",
"firehol proxy",
"noname057",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"FireHol",
"Proxy",
"Pexee",
"Bank of America Corporation Malware Download",
"CVE-2017-11882",
"Alexa SANS Internet Storm Center",
"MCI Verizon Block",
"NaN"
],
"references": [
"http://ww1.tsx.org/_fd",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"remote.telegrafix.com (remote hacking)",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"remote.haverhillcc.com (remote hacking)",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"apple.com. (malicious version/header)",
"https://www.apple.com/sitemap/",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"init.ess.apple.com (remote hacking)",
"applepaydayloans.com",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://applepaydayloans.com/",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://support.Apple.com/de",
"http://www.Apple.com/quicktime/download",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"https://www.roseoubleu.fr/panier (phishing)",
"Roksit.net",
"stagelight.pl (malicious/ pattern match)",
"www.jamesbgriffinlaw.com (malicious host)",
"Data Analytics",
"Behavior Pattern Match Analysis",
"45.159.189.105 (Command and Control)",
"http://45.159.189.105/bot/regex (Bot Command)",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "TEL:Delphi/Obfuscator",
"display_name": "TEL:Delphi/Obfuscator",
"target": "/malware/TEL:Delphi/Obfuscator"
},
{
"id": "LaplasClipper",
"display_name": "LaplasClipper",
"target": null
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "SLFPER:InstallCore",
"display_name": "SLFPER:InstallCore",
"target": null
},
{
"id": "RedLine Stealer",
"display_name": "RedLine Stealer",
"target": null
},
{
"id": "ALF:Program:OpenCandy:Remnant",
"display_name": "ALF:Program:OpenCandy:Remnant",
"target": null
},
{
"id": "Ramnit",
"display_name": "Ramnit",
"target": null
},
{
"id": "Relic",
"display_name": "Relic",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
},
{
"id": "generic.malware",
"display_name": "generic.malware",
"target": null
},
{
"id": "Anonymizer",
"display_name": "Anonymizer",
"target": null
},
{
"id": "#HSTR:HackTool:Win32/Mimikatz",
"display_name": "#HSTR:HackTool:Win32/Mimikatz",
"target": null
},
{
"id": "PWS:MSIL/Steam",
"display_name": "PWS:MSIL/Steam",
"target": "/malware/PWS:MSIL/Steam"
},
{
"id": "Trojan.HTML.Agent",
"display_name": "Trojan.HTML.Agent",
"target": null
},
{
"id": "Gen:Variant.Zusy",
"display_name": "Gen:Variant.Zusy",
"target": null
},
{
"id": "Worm:Win32/Netsky",
"display_name": "Worm:Win32/Netsky",
"target": "/malware/Worm:Win32/Netsky"
},
{
"id": "Sodin Ransomware",
"display_name": "Sodin Ransomware",
"target": null
},
{
"id": "Keyloggers",
"display_name": "Keyloggers",
"target": null
},
{
"id": "Proxy",
"display_name": "Proxy",
"target": null
},
{
"id": "TEL:Trojan:Win32/Emotet",
"display_name": "TEL:Trojan:Win32/Emotet",
"target": null
},
{
"id": "Cobalt Strike - S0154",
"display_name": "Cobalt Strike - S0154",
"target": null
},
{
"id": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"display_name": "Generic.ASMalwS Malicious_confidence_70% 1\tIL:Trojan.MSILZilla 1\tFileRepMalware 1\tRansom.Sabsik 1\tBehavesLike.Dropper 1\tMicrosoft phishing 1\tBackdoor.Mokes 1\tPhishing Bank of America Corporat",
"target": null
},
{
"id": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"display_name": "malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tUnsafe.AI_Score_98% 1\tMobigame 1\tbanker,evasive,retefe 1\tProgram.Unwanted 1\tmalicious.high.ml 1\tKryptik.dawvk 1\tUnsafe.AI_Score_91% 1\tAdwar",
"target": null
},
{
"id": "AdwareSig [Adw] ml.Generic",
"display_name": "AdwareSig [Adw] ml.Generic",
"target": null
},
{
"id": "W32.Hack.Generic",
"display_name": "W32.Hack.Generic",
"target": null
},
{
"id": "Trojan.Ole2.Vbs",
"display_name": "Trojan.Ole2.Vbs",
"target": null
},
{
"id": "QVM20.1.8D80.Malware",
"display_name": "QVM20.1.8D80.Malware",
"target": null
},
{
"id": "Generic.Malware",
"display_name": "Generic.Malware",
"target": null
},
{
"id": "Backdoor.Mokes",
"display_name": "Backdoor.Mokes",
"target": null
},
{
"id": "AdWare.DropWare",
"display_name": "AdWare.DropWare",
"target": null
},
{
"id": "Gen:Variant.Razy",
"display_name": "Gen:Variant.Razy",
"target": null
},
{
"id": "Generic.31fcc75f",
"display_name": "Generic.31fcc75f",
"target": null
},
{
"id": "Trojan.Generic",
"display_name": "Trojan.Generic",
"target": null
},
{
"id": "Artemis",
"display_name": "Artemis",
"target": null
},
{
"id": "malware.generic",
"display_name": "malware.generic",
"target": null
},
{
"id": "Gen:Variant.Bulz",
"display_name": "Gen:Variant.Bulz",
"target": null
},
{
"id": "GameHack.DR",
"display_name": "GameHack.DR",
"target": null
},
{
"id": "Dropper.Binder",
"display_name": "Dropper.Binder",
"target": null
},
{
"id": "malicious.22a4c0",
"display_name": "malicious.22a4c0",
"target": null
},
{
"id": "SdBot.CAOC",
"display_name": "SdBot.CAOC",
"target": null
},
{
"id": "ml.Generic",
"display_name": "ml.Generic",
"target": null
},
{
"id": "Trojan.Ransom.GenericKD",
"display_name": "Trojan.Ransom.GenericKD",
"target": null
},
{
"id": "Phish.AB",
"display_name": "Phish.AB",
"target": null
},
{
"id": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"display_name": "undefined 1\tms 1\txyz 1\tgl 1\tnet TLD aggregation com ms xyz gl net 20% 20% 20% 20% 20% TLD\tCount com\t1 undefined\tNaN ms\t1 xyz\t1 gl\t1 net\t1 Combined blacklist timeline Hybrid-Analysis Maltiverse Resea",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6506b48d699080b4bfd334c5",
"export_count": 74,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 7761,
"CVE": 6,
"FileHash-MD5": 285,
"FileHash-SHA1": 165,
"FileHash-SHA256": 5059,
"domain": 987,
"hostname": 2399
},
"indicator_count": 16662,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "597 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "656aafd0e93efa420f74123c",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2024-10-12T01:00:47.836000",
"created": "2023-12-02T04:17:20.189000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 107,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3895,
"URL": 11195,
"domain": 2959,
"hostname": 3575,
"CVE": 16,
"SSLCertFingerprint": 1,
"email": 1
},
"indicator_count": 24465,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "598 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a4885e735b9e8ba94805bc",
"name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com",
"description": "",
"modified": "2024-09-05T06:51:42.608000",
"created": "2024-01-15T01:20:30.730000",
"tags": [
"execution",
"whois record",
"contacted",
"ssl certificate",
"whois whois",
"contacted urls",
"copy",
"historical ssl",
"referrer",
"urls url",
"icmp",
"malicious",
"installer",
"problems",
"collections",
"report",
"phishing",
"service tool",
"greatness",
"threat network",
"emotet",
"magniber",
"startpage",
"attack",
"banker",
"keylogger",
"namecheap inc",
"com laude",
"ltd dba",
"cloudflare",
"porkbun llc",
"ii llc",
"csc corporate",
"domains",
"computer",
"company limited",
"first",
"cloudflarenet",
"google",
"amazon02",
"akamaias",
"telecom italia",
"utc submissions",
"microsoftcorpas",
"indonesia",
"beijing gu",
"appleaustin",
"sucurisec",
"amazonaes",
"limited",
"tsara brashears",
"pornhub",
"thebrotherssabey",
"then brothers sabey",
"brian sabey",
"apple",
"icloud",
"apple engineering",
"soc",
"hacker",
"teams",
"malvertizing",
"cyberthreat",
"cyber crime",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ecc domain",
"server ca",
"subject public",
"key info",
"key algorithm",
"ec oid",
"remote",
"remote attacker",
"benjamin",
"worm",
"trojan",
"win32",
"trojanspy",
"ransomware",
"command and control",
"cnc",
"c2",
"stealer",
"password",
"apple unlocker",
"pornographers",
"cyber stalking",
"revenge rat",
"masquerading",
"scanning host",
"phishing",
"dns",
"network",
"cobalt strike",
"mitre attack",
"metro hacker",
"t-mobile hacker",
"stalker",
"social engineering",
"et",
"torrent trecker",
"view",
"duckdns",
"blackhat",
"data center",
"tracking",
"illegal",
"malware scripting",
"malware spreader",
"network rat",
"multiple botnetworks"
],
"references": [
"https://thebrotherssabey.wordpress.com/",
"acam-mdn.apple.com",
"beacons.bcp.gvt.com",
"cpcontacts.webcamara.online",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"http://ti.hicloudcam.com",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://search.app.goo.gl/?ofl",
"Worm:Win32/Benjamin",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"applemusic-spotlight.myunidays.com",
"nr-data.net",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"blackhat.store",
"api.telegram.org",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Silk",
"display_name": "Silk",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65a429795adf468b427a3c8b",
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2469,
"URL": 6038,
"FileHash-MD5": 169,
"FileHash-SHA1": 157,
"FileHash-SHA256": 3922,
"CIDR": 2,
"hostname": 2787,
"email": 2,
"CVE": 1
},
"indicator_count": 15547,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "635 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b85e73efe2e053366ed972",
"name": "https://www.hallrender.com/attorney/brian-sabey/",
"description": "",
"modified": "2024-09-05T06:21:34.047000",
"created": "2024-01-30T02:26:59.218000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "658b74ee93a0b0dc9c960cee",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6145,
"URL": 14252,
"hostname": 4778,
"domain": 6809,
"CVE": 3
},
"indicator_count": 32339,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 230,
"modified_text": "635 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6688e0ffb31d4881f3238713",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:15:27.994000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 89,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "666 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6688e142f0c8f5ddecbc788c",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)",
"modified": "2024-08-05T04:01:42.283000",
"created": "2024-07-06T06:16:34.388000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 94,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "666 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6688e15588a794b95443b46d",
"name": "Google Spy engine | Tracking, Malware Repository",
"description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated",
"modified": "2024-08-05T02:03:31.529000",
"created": "2024-07-06T06:16:53.461000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"file size",
"b file",
"detections file",
"gzip chrome",
"cache entry",
"graph",
"ip detections",
"country",
"domains",
"internet domain",
"service bs",
"corp",
"namecheap inc",
"csc corporate",
"tucows",
"epik llc",
"tucows domains"
],
"references": [
"https://www.searchw3.com/",
"IP\u2019s Contacted: 192.124.249.187",
"Ransomware: message.htm.com",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 73,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3731,
"URL": 11926,
"hostname": 4626,
"domain": 4135,
"FileHash-MD5": 1530,
"FileHash-SHA1": 762,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 26747,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "666 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b4624c5bb71879020ceb1c",
"name": "Spyware | Ransomware | Direct Search Network | Trellian",
"description": "Large, hard to believe fraudulent threat network. Fraud services from private investigators to attorneys. Social engineering by phone, email, sponsored advertising, malvertizing, remote attacks. tracking, in person, emails, surveys, text, ongoing espionage campaigns, info stealing, cyber attacks, arrange in person meetings , identified as 'gang stalking' by detective, service staging. Very real. Bad actors take advantage of targets devices installing overlays on windows,android. iOS. Targets can only see what adversary wants seen.\n\nLarge threat network in Colorado and abroad.\nScreenshot: https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://1redirc.com/r2.php\nCouldn't submit 1st pulse. contacted, spyware, phishing,trojan, registrar abuse",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-27T01:54:20.513000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b474c9c9bed0cdd00a9480",
"name": "Spyware | Ransomware | Threat & Direct Search Network | Trellian",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-27T03:13:13.978000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65b4624c5bb71879020ceb1c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b86568e1eaace7d9f062b4",
"name": "Tags auto populated in original Threat Network pulse missing",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-30T02:56:40.484000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b865697c59050da541247f",
"name": "Tags auto populated in original Threat Network pulse missing",
"description": "",
"modified": "2024-02-26T01:04:33.201000",
"created": "2024-01-30T02:56:41.045000",
"tags": [
"no expiration",
"expiration",
"url https",
"filehashmd5",
"ipv4",
"filehashsha1",
"filehashsha256",
"domain",
"url http",
"iocs",
"next",
"hostname",
"scan endpoints",
"all scoreblue",
"pdf report",
"pcap"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3010,
"FileHash-MD5": 1902,
"FileHash-SHA1": 1467,
"FileHash-SHA256": 2664,
"domain": 1195,
"hostname": 1802,
"email": 27,
"SSLCertFingerprint": 9
},
"indicator_count": 12076,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "827 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a429795adf468b427a3c8b",
"name": "Apple | Worm:Win32/Benjamin | thebrotherssabey.com",
"description": "Retaliation. Brian Sabey representing as an attorney and many other occupations contacted and socially engineered target. Uncertain of true name. Contacted 'alleged' SA assault victim. Made claims of representing a Jeffrey Scott Reimer DPT' alleged 'S' Assaulter. Substantiated claims made with the twist of 'victim consented'. Mark Brian Sbabeys claims dismissed. Continues to hack, harass, intimidate target in every possible way. Hacking, monitoring, service, modification, phone contact, malicious texting, in person monitoring via colleagues, hacks into medical and medical billing centers, sells/leaks targets data on dark web. Removed targets name from most pulses via remote device access. Self whitelist. Everything he does is illegal.\n\nTarget not important enough to law enforcement.",
"modified": "2024-02-13T17:04:19.437000",
"created": "2024-01-14T18:35:37.757000",
"tags": [
"execution",
"whois record",
"contacted",
"ssl certificate",
"whois whois",
"contacted urls",
"copy",
"historical ssl",
"referrer",
"urls url",
"icmp",
"malicious",
"installer",
"problems",
"collections",
"report",
"phishing",
"service tool",
"greatness",
"threat network",
"emotet",
"magniber",
"startpage",
"attack",
"banker",
"keylogger",
"namecheap inc",
"com laude",
"ltd dba",
"cloudflare",
"porkbun llc",
"ii llc",
"csc corporate",
"domains",
"computer",
"company limited",
"first",
"cloudflarenet",
"google",
"amazon02",
"akamaias",
"telecom italia",
"utc submissions",
"microsoftcorpas",
"indonesia",
"beijing gu",
"appleaustin",
"sucurisec",
"amazonaes",
"limited",
"tsara brashears",
"pornhub",
"thebrotherssabey",
"then brothers sabey",
"brian sabey",
"apple",
"icloud",
"apple engineering",
"soc",
"hacker",
"teams",
"malvertizing",
"cyberthreat",
"cyber crime",
"data",
"v3 serial",
"number",
"cgb stgreater",
"ecc domain",
"server ca",
"subject public",
"key info",
"key algorithm",
"ec oid",
"remote",
"remote attacker",
"benjamin",
"worm",
"trojan",
"win32",
"trojanspy",
"ransomware",
"command and control",
"cnc",
"c2",
"stealer",
"password",
"apple unlocker",
"pornographers",
"cyber stalking",
"revenge rat",
"masquerading",
"scanning host",
"phishing",
"dns",
"network",
"cobalt strike",
"mitre attack",
"metro hacker",
"t-mobile hacker",
"stalker",
"social engineering",
"et",
"torrent trecker",
"view",
"duckdns",
"blackhat",
"data center",
"tracking",
"illegal",
"malware scripting",
"malware spreader",
"network rat",
"multiple botnetworks"
],
"references": [
"https://thebrotherssabey.wordpress.com/",
"acam-mdn.apple.com",
"beacons.bcp.gvt.com",
"cpcontacts.webcamara.online",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"http://ti.hicloudcam.com",
"http://alohatube.xyz/search/tsara-brashears",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://search.app.goo.gl/?ofl",
"Worm:Win32/Benjamin",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"applemusic-spotlight.myunidays.com",
"nr-data.net",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"blackhat.store",
"api.telegram.org",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"display_name": "#Lowfi:SIGA:TrojanSpy:MSIL/Keylogger",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Silk",
"display_name": "Silk",
"target": null
},
{
"id": "Sabey",
"display_name": "Sabey",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2462,
"URL": 5950,
"FileHash-MD5": 168,
"FileHash-SHA1": 156,
"FileHash-SHA256": 3901,
"CIDR": 2,
"hostname": 2766,
"email": 2,
"CVE": 1
},
"indicator_count": 15408,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "839 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65be8e4a55f5851279c265c8",
"name": "https://www.hallrender.com/attorney/brian-sabey/ Gopher Ransomware ",
"description": "",
"modified": "2024-02-03T19:04:42.251000",
"created": "2024-02-03T19:04:42.251000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b85e73efe2e053366ed972",
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6027,
"URL": 13374,
"hostname": 4575,
"domain": 6755,
"CVE": 3
},
"indicator_count": 31086,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 224,
"modified_text": "849 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b85e7056e146f1416eae32",
"name": "https://www.hallrender.com/attorney/brian-sabey/",
"description": "",
"modified": "2024-01-30T02:26:56.698000",
"created": "2024-01-30T02:26:56.698000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "658b74ee93a0b0dc9c960cee",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6027,
"URL": 13374,
"hostname": 4575,
"domain": 6755,
"CVE": 3
},
"indicator_count": 31086,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "854 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658b74ee93a0b0dc9c960cee",
"name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/",
"description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.",
"modified": "2024-01-26T00:00:39.927000",
"created": "2023-12-27T00:50:54.481000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 41,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6027,
"URL": 13374,
"hostname": 4575,
"domain": 6755,
"CVE": 3
},
"indicator_count": 31086,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "858 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658b74f4a6c53cc8e0f70611",
"name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/",
"description": "A report generated by the MITRE ATT&CK\u2122 security team on 26 December 2023 is published on the website of Brian Sabey, the lawyer who brought the UK government to court.",
"modified": "2024-01-26T00:00:39.927000",
"created": "2023-12-27T00:51:00.982000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 43,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6027,
"URL": 13374,
"hostname": 4575,
"domain": 6755,
"CVE": 3
},
"indicator_count": 31086,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "858 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658ca37e41ea135fa35b8832",
"name": "Masquerading: https://www.hallrender.com/attorney/brian-sabey/ ",
"description": "",
"modified": "2024-01-26T00:00:39.927000",
"created": "2023-12-27T22:21:50.409000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"urls https",
"sample",
"ssl certificate",
"feeds ioc",
"analyze",
"whois record",
"contacted",
"historical ssl",
"resolutions",
"threat roundup",
"referrer",
"contacted urls",
"august",
"execution",
"njrat",
"ransomware",
"gopher",
"formbook",
"whois ssl",
"communicating",
"obz4usfn0 url",
"cfqirgdhj5 url",
"obz4usfn0",
"sfqh4dt74w0 url",
"cfqirgdhj5",
"localappdata",
"temp",
"getprocaddress",
"windir",
"ascii text",
"mitre att",
"file",
"ck id",
"show technique",
"path",
"factory",
"hybrid",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"headers date",
"gmt connection",
"obz4usfn0 http",
"cfqirgdhj5 http",
"bundled",
"dropped",
"putty",
"february",
"july",
"whois whois",
"malware",
"urls",
"post",
"vj87",
"passive dns",
"http",
"unique",
"ukhdaauqaaaaaac",
"screenshot",
"scan endpoints",
"all octoseek",
"code"
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"business-support.intel.com",
"00000000000.cloudfront.net",
"mobileaccess.intel.com",
"artificial-legal-intelligence.com",
"http://intel.net/.about.html",
"http://medlineplus.gov.https.sci-hub.st",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"http://pl.gov-zaloguj.info",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://www.journaldev.com/41403/regex"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "NjRAT",
"display_name": "NjRAT",
"target": null
},
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Gopher",
"display_name": "Gopher",
"target": null
},
{
"id": "Ransomware",
"display_name": "Ransomware",
"target": null
},
{
"id": "Ascii Exploit",
"display_name": "Ascii Exploit",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "658b74ee93a0b0dc9c960cee",
"export_count": 38,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 184,
"FileHash-SHA1": 168,
"FileHash-SHA256": 6027,
"URL": 13374,
"hostname": 4575,
"domain": 6755,
"CVE": 3
},
"indicator_count": 31086,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 232,
"modified_text": "858 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657ab025b97f20f31bbfcd70",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "Alleged attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life unbearable, threaten and cause harm to targets. I don't feel safe. I hope this research helps the next target.\n\nMissouri government is seen throughout. The corruption is mafia deep. There is tracking. In person stalking, theft, identity theft, mail theft, modification of records and services, legitimate death threats,etc.\nOpen records act: Target has made multiple reports to authorities regarding physical assaults, threats, phone hacking, etc. OCA: Reports show a settlement was paid by Brian Sabey in part to help Tsara Brashears discover hacker.\nI've been receiving death threats, followed, property accessed, tampering. Attacking entire family including her children, father and beyond.",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-14T07:35:01.537000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 512,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657c03432f4f2997c7d3aff4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:41:55.972000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657c045ef15bd06d27da1b08",
"name": "Resource Hijacking by attorney https://hallrender.com/attorney/brian-sabey",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-15T07:46:38.664000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c03432f4f2997c7d3aff4",
"export_count": 508,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658dd341d97d04b0253392d4",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-28T19:57:53.875000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657ab025b97f20f31bbfcd70",
"export_count": 522,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658ef8c00492cc6bdaa8b605",
"name": "CryptInject \u2022 Inmortal \u2022 Invoke-Mimikatz \u2022 WannaCry Kill Switch | https://safebae.org",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2023-12-29T16:50:08.330000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "658dd341d97d04b0253392d4",
"export_count": 518,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 237,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659d6ae800440c0befb47e22",
"name": "BazaLoader affiliates use elaborate infection chains via notable victim interaction",
"description": "",
"modified": "2024-01-13T06:01:05.467000",
"created": "2024-01-09T15:48:56.676000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb",
"whois whois",
"whois parent",
"glupteba",
"setup stub",
"c2ae"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": "657c045ef15bd06d27da1b08",
"export_count": 250,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2001,
"hostname": 3531,
"URL": 7519,
"FileHash-MD5": 2851,
"FileHash-SHA1": 1622,
"FileHash-SHA256": 5092,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 22653,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "871 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657aaff046e2083b423a39e2",
"name": "Inmortal Invoke-Mimikatz",
"description": "Attorney defending Jeffrey Scott Reimer DPT. Firm uses every possible tool to destroy, make life uncomfortable, threaten and cause harm to targets.\nPossible masquerading / DBA as attorney with such illegal behavior.\nMay have been hired to harass and...she is reported dead of suicide morning after reporting harassment. Missouri government is seen throughout as if hired by firm. If this is a true law firm , the corruption is mafia deep. \n\nI'm 24/7 followed. Hacked l, etc. \nVery expensive threat and deliver campaign. Verdict: Digital profile completely destroyed. Lives at risk.",
"modified": "2024-01-12T04:02:22.872000",
"created": "2023-12-14T07:34:08.701000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"historical ssl",
"communicating",
"referrer",
"execution",
"tsara brashears",
"highly targeted",
"njrat",
"ransomware",
"heodo",
"tag count",
"thu aug",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"malicious url",
"blacklist https",
"united",
"firehol",
"maltiverse",
"cyber threat",
"control server",
"host",
"phishing",
"engineering",
"paypal",
"download",
"malware",
"nanocore rat",
"meterpreter",
"pony",
"facebook",
"stealer",
"redline stealer",
"dnspionage",
"mirai",
"nanocore",
"bradesco",
"emotet",
"cobalt strike",
"bank",
"zeus",
"zbot",
"suppobox",
"generic",
"site",
"cisco umbrella",
"alexa top",
"million",
"reverse dns",
"general full",
"url https",
"resource",
"protocol h2",
"security tls",
"software",
"get h2",
"hash",
"main",
"search live",
"api blog",
"docs pricing",
"december",
"hall render",
"advisory",
"brochure url",
"link url",
"linkedin link",
"facebook link",
"value",
"login",
"variables",
"modernizr",
"lsmeta function",
"lsoldgsqueue",
"de indicators",
"domains",
"hashes",
"copyright",
"gmbh version",
"no data",
"tld count",
"urls",
"count blacklist",
"heur",
"html",
"site top",
"malicious site",
"malware site",
"riskware",
"exploit",
"win64",
"unsafe",
"genkryptik",
"artemis",
"opencandy",
"agent",
"dropper",
"fakealert",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"tiggre",
"presenoker",
"filetour",
"cleaner",
"conduit",
"wacatac",
"mimikatz",
"redirector",
"deepscan",
"iframe",
"memscan",
"suspicious",
"magazine",
"applicunwnt",
"alexa",
"phish",
"win32.pdf.alien",
"freemake",
"webtoolbar",
"trojanspy",
"label",
"input",
"form",
"button",
"render",
"articles",
"column",
"brian",
"search",
"contact",
"span",
"accept",
"this",
"close",
"district",
"ultimate",
"ip address",
"blacklist",
"covid19",
"phishing chase",
"windows nt",
"khtml",
"gecko",
"veryhigh",
"aes256gcm",
"digicert global",
"g2 tls",
"rsa sha256",
"bypass",
"formbook",
"generic malware",
"cutwail",
"safe site",
"phishing site",
"team",
"tofsee",
"azorult",
"service",
"runescape",
"remcos",
"malicious",
"miner",
"hacktool",
"agenttesla",
"unknown",
"downloader",
"trojan",
"detplock",
"networm",
"cryptinject",
"beach research",
"rms",
"redline",
"brian sabey",
"hallrender.com",
"hallrender.com/attorney/brian-sabey",
"tulach",
"tulach.cc",
"mo.gov",
"safebae.org",
"civicalg.com",
"civicalg",
"passive dns",
"domain",
"registrar",
"scan endpoints",
"all octoseek",
"hostname",
"pulse pulses",
"date",
"next",
"computer",
"company limited",
"first",
"utc submissions",
"submitters",
"gti9158",
"gti9080l",
"gti9128v",
"summary iocs",
"graph community",
"namecheap inc",
"cloudflare",
"com laude",
"ltd dba",
"porkbun llc",
"ii llc",
"csc corporate",
"amazon02",
"google",
"cloudflarenet",
"akamaias",
"innova co",
"indonesia",
"level3",
"china telecom",
"mb setup",
"mb opera",
"mb qimage",
"mb iesettings",
"mb super",
"optimizer",
"premium",
"pattern match",
"file",
"ascii text",
"indicator",
"jpeg image",
"et tor",
"known tor",
"misc attack",
"relayrouter",
"general",
"hybrid",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"traffic",
"tor known",
"exit",
"node tcp",
"tor relayrouter",
"spammer",
"tor exit",
"threats et",
"node udp",
"adware",
"quasar rat",
"installpack",
"xrat",
"fusioncore",
"union",
"raccoon",
"metastealer",
"xtrat",
"blacklist http",
"url http",
"hijacking",
"information",
"report spam",
"attorney",
"trojanx",
"zpevdo",
"vidar",
"agent tesla",
"nymaim",
"virut",
"occamy",
"iobit",
"sality",
"all search",
"otx octoseek",
"author avatar",
"role title",
"added active",
"related pulses",
"entries",
"indicator role",
"title added",
"active related",
"pulses url",
"pulses",
"ipv4",
"expiration",
"no expiration",
"iocs",
"create new",
"site safe",
"lovgate",
"unruy",
"patcher",
"nsis",
"installcore",
"adload",
"cve201711882",
"sonbokli",
"ubot",
"hsbc",
"uztuby",
"malicious host",
"microsoft",
"psexec",
"brontok",
"startpage",
"keygen",
"fareit",
"secrisk",
"floxif",
"threat roundup",
"c2 raccoon",
"march",
"critical risk",
"apple phone",
"unlocker",
"installer",
"laplasclipper",
"blister",
"june",
"name verdict",
"falcon sandbox",
"malware generic",
"tue dec",
"temp",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"twitter",
"seraph",
"bazaloader",
"media",
"security",
"technology",
"dns replication",
"virustotal",
"win32 exe",
"files",
"detections type",
"name",
"notepad",
"java",
"update checker",
"verisign",
"server",
"asia pacific",
"data",
"whois database",
"registrar abuse",
"apnic whois",
"apnic",
"icann whois",
"nanjing",
"cnnic",
"hackers",
"virus network",
"relacionada",
"cyberstalking",
"excel",
"macros sneaky",
"unauthorized",
"wannacry kill",
"attack",
"core",
"qakbot",
"lumma stealer",
"ransomexx",
"quasar",
"metro",
"copy",
"project",
"cnc server",
"proxy",
"ramnit",
"cl0p",
"inmortal",
"noname057",
"jul jan",
"fri jun",
"tag tag",
"failed_code_integrity_checks",
"python_initiated-connection",
"powershell_create_scheduled",
"creation_of_an_executable_by_an_executable",
"botnetwork",
"c2",
"apple hacking",
"government relations",
"abuse",
"download csv",
"json ip",
"linkid252669",
"adwaresig",
"suspected",
"filerepmalware",
"dapato",
"predator",
"fakeinstaller",
"spyrixkeylogger",
"bitminer",
"loadmoney",
"mediaget",
"softonic",
"encpk",
"qbot",
"kraddare",
"dllinject",
"driverpack",
"genpack",
"offercore",
"vitzo",
"babar",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"b body",
"sha256",
"headers",
"connection",
"pragma",
"team malware",
"binder",
"pykspa",
"feodo",
"mark",
"bomb"
],
"references": [
"https://hallrender.com/attorney/brian-sabey",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"192.124.249.53:80",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"https://poemhunter.com/tsara-brashears/",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"government.westlaw.com",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"west-sca.duckdns.org",
"us-west-2.es.amazonaws.com (pslicorp)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"www.hallrender.com (malware hosting)",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"www.dead-speak.com",
"www42.jhonisdead.com",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"fakecelebporno.com",
"batchcourtexpressservicesqa.westlaw.com",
"batchpublicrecords.westlaw.com",
"apple-aqo.com (1 DNSPod.net)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"c.oooooooooo.ga (c.apple.com cdn)",
"https://www.anyxxxtube.net/media/favicon/apple",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://www.hallrender.com/attorney/brian-sabey"
],
"public": 1,
"adversary": "M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"targeted_countries": [],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WIN32.PDF.Alien",
"display_name": "WIN32.PDF.Alien",
"target": null
},
{
"id": "Freemake",
"display_name": "Freemake",
"target": null
},
{
"id": "Redirector",
"display_name": "Redirector",
"target": null
},
{
"id": "Zbot",
"display_name": "Zbot",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "Behav",
"display_name": "Behav",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "RMS",
"display_name": "RMS",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "WIN32.PDF.ALIEN",
"display_name": "WIN32.PDF.ALIEN",
"target": null
},
{
"id": "ZeuS",
"display_name": "ZeuS",
"target": null
},
{
"id": "SuppoBox",
"display_name": "SuppoBox",
"target": null
},
{
"id": "Trojan:Win32/Wacatac",
"display_name": "Trojan:Win32/Wacatac",
"target": "/malware/Trojan:Win32/Wacatac"
},
{
"id": "ALF:Trojan:Win32/FormBook",
"display_name": "ALF:Trojan:Win32/FormBook",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "njRAT",
"display_name": "njRAT",
"target": null
},
{
"id": "Trojan:Win32/Tiggre",
"display_name": "Trojan:Win32/Tiggre",
"target": "/malware/Trojan:Win32/Tiggre"
},
{
"id": "Invoke-Mimikatz",
"display_name": "Invoke-Mimikatz",
"target": null
},
{
"id": "China Telecom",
"display_name": "China Telecom",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Sonbokli",
"display_name": "Sonbokli",
"target": null
},
{
"id": "Ubot",
"display_name": "Ubot",
"target": null
},
{
"id": "HSBC",
"display_name": "HSBC",
"target": null
},
{
"id": "Uztuby",
"display_name": "Uztuby",
"target": null
},
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "Inmortal",
"display_name": "Inmortal",
"target": null
},
{
"id": "Domains",
"display_name": "Domains",
"target": null
},
{
"id": "Vitzo",
"display_name": "Vitzo",
"target": null
},
{
"id": "Babar",
"display_name": "Babar",
"target": null
},
{
"id": "Qbot",
"display_name": "Qbot",
"target": null
},
{
"id": "WannaCry Kill Switch",
"display_name": "WannaCry Kill Switch",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [
"Health"
],
"TLP": "white",
"cloned_from": null,
"export_count": 438,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1995,
"hostname": 3222,
"URL": 7179,
"FileHash-MD5": 2749,
"FileHash-SHA1": 1538,
"FileHash-SHA256": 4661,
"CVE": 24,
"email": 9,
"CIDR": 4
},
"indicator_count": 21381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 228,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65715ad29ac565164664960b",
"name": "InstallMate",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:40:34.888000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 226,
"modified_text": "878 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65715b49b95c13605856d6d0",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-07T05:42:33.281000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715ad29ac565164664960b",
"export_count": 210,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "878 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6572622bba87d8d105a7259f",
"name": "Lazarus Group _ 192.229.211.108",
"description": "",
"modified": "2024-01-06T05:02:33.698000",
"created": "2023-12-08T00:24:11.801000",
"tags": [
"as15133 verizon",
"united",
"unknown",
"passive dns",
"scan endpoints",
"all octoseek",
"ipv4",
"pulse pulses",
"urls",
"files",
"trojandropper",
"body",
"orgtechhandle",
"orgid",
"w jefferson",
"blvd",
"city",
"los angeles",
"stateprov",
"postalcode",
"sawyer",
"kleinart",
"mtb dec",
"win32upatre dec",
"win32qqpass dec",
"entries",
"date hash",
"avast avg",
"name verdict",
"falcon sandbox",
"generic malware",
"tag count",
"wed sep",
"threat report",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"count blacklist",
"generic",
"noname057",
"csv behavior",
"text",
"win32 dll",
"win32 exe",
"javascript",
"office open",
"xml document",
"text iocs",
"mario",
"csv test",
"python",
"ip summary",
"text query16752",
"text edge",
"type name",
"services",
"net192",
"net1920000",
"cidr",
"nethandle",
"orgabusehandle",
"orgabusephone",
"as14153",
"contacted",
"ssl certificate",
"tsara brashears",
"whois whois",
"ransomware",
"apple ios",
"family",
"roots",
"lolkek",
"tzw variants",
"emotet",
"bluenoroff",
"lazarus",
"dark power",
"play ransomware",
"makop",
"attack",
"core",
"hacktool",
"chaos",
"ransomexx",
"quasar",
"njrat",
"installer",
"banker",
"keylogger",
"execution",
"ermac",
"metasploit",
"relic",
"monitoring",
"qakbot",
"thu nov",
"url summary",
"first",
"cobalt strike",
"strike cobalt",
"malicious url",
"tld count",
"sun sep",
"china cobalt",
"strike",
"cyber threat",
"maltiverse",
"malware site",
"malicious host",
"malware",
"host",
"phishing",
"team",
"exploit",
"mirai",
"pony",
"nanocore",
"bradesco",
"suppobox",
"laplasclipper",
"asyncrat",
"fakealert",
"ramnit",
"cisco umbrella",
"site",
"safe site",
"heur",
"malicious site",
"alexa top",
"million",
"phishing site",
"artemis",
"unsafe",
"riskware",
"bank",
"outbreak",
"dropper",
"trojanx",
"turla",
"installcore",
"acint",
"conduit",
"installpack",
"iobit",
"mediaget",
"crack",
"iframe",
"downldr",
"agent",
"presenoker",
"alexa",
"blacknet rat",
"stealer",
"unruy",
"cleaner",
"union",
"dbatloader",
"downloader",
"blocker",
"ransom",
"autoit",
"bladabindi",
"trojan",
"irata",
"azorult",
"service",
"runescape",
"facebook",
"download",
"genkryptik",
"opencandy",
"trojanspy",
"relacionada",
"referrer",
"formbook",
"blacklist http",
"control server",
"firehol",
"botnet command",
"http spammer",
"mail spammer",
"phishtank",
"dnspionage",
"betabot",
"wormx",
"redline stealer",
"solimba",
"zbot",
"webtoolbar",
"utc submissions",
"submitters",
"tot public",
"company limited",
"gandi sas",
"ovh sas",
"mb iesettings",
"mb acrotray",
"kb program",
"team alexa",
"quasar rat",
"spammer",
"team proxy",
"ip reputation",
"cins active",
"online fri",
"online sat",
"sat apr",
"temp",
"windir",
"kontakt",
"antivirus",
"sat jun",
"gmt0600",
"programdata",
"regexpandsz d",
"allusersprofile",
"soar",
"malicious",
"programfiles",
"sun jun",
"mbt",
"info api",
"http",
"redlinestealer",
"score integrate",
"siem",
"tencent",
"rc7 bypassed",
"mon jun",
"api sample",
"hybridanalysis",
"online sun",
"fri jun",
"tue apr",
"code",
"date",
"hackers",
"lumma stealer",
"ursnif",
"open"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "MBT",
"display_name": "MBT",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65715b49b95c13605856d6d0",
"export_count": 234,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 882,
"FileHash-SHA1": 497,
"FileHash-SHA256": 3763,
"URL": 3088,
"hostname": 1203,
"CIDR": 2,
"domain": 680,
"CVE": 9,
"email": 13
},
"indicator_count": 10137,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 234,
"modified_text": "878 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6562908e28e6cdc237fbf8db",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-11-26T00:25:50.529000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "656aafce24b001cba328dcbc",
"name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"description": "",
"modified": "2023-12-26T00:03:03.925000",
"created": "2023-12-02T04:17:18.188000",
"tags": [
"ssl certificate",
"contacted",
"threat roundup",
"whois record",
"communicating",
"subdomains",
"resolutions",
"june",
"july",
"october",
"august",
"noname057",
"generic malware",
"ice fog",
"tag count",
"thu nov",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"first",
"generic",
"detection list",
"blacklist http",
"cisco umbrella",
"site",
"heur",
"alexa top",
"safe site",
"million",
"malware",
"alexa",
"malware site",
"malicious site",
"unsafe",
"artemis",
"fakealert",
"exploit",
"opencandy",
"riskware",
"genkryptik",
"iframe",
"tiggre",
"presenoker",
"agent",
"conduit",
"wacatac",
"phishing",
"redline stealer",
"dropper",
"cobalt strike",
"acint",
"nircmd",
"swrort",
"downldr",
"systweak",
"behav",
"crack",
"filetour",
"cleaner",
"installpack",
"xrat",
"fusioncore",
"azorult",
"service",
"runescape",
"facebook",
"bank",
"download",
"blacknet rat",
"stealer",
"maltiverse",
"webtoolbar",
"trojanspy",
"united",
"engineering",
"cyber threat",
"phishing site",
"america",
"emotet",
"zbot",
"malicious",
"steam",
"team",
"indonesia",
"miner",
"ransomware",
"ramnit",
"pe resource",
"historical ssl",
"execution",
"hacktool",
"metasploit",
"relic",
"monitoring",
"android",
"skynet",
"et",
"anonymizer",
"trojanx",
"back",
"laplasclipper",
"win64",
"trojan",
"ghost rat",
"suppobox",
"asyncrat",
"union",
"samples",
"blacklist",
"malicious url",
"hostname",
"hostnames",
"tsara brashears",
"reinsurance",
"pinnacol insurance",
"industry and commerce",
"state",
"danger",
"warning",
"nr-data.net",
"apple",
"data.net",
"asp.net",
"domains",
"hashes",
"reverse dns",
"general full",
"resource",
"software",
"asn15169",
"google",
"url http",
"server",
"hash",
"get h2",
"main",
"cookie",
"thu dec",
"germany",
"frankfurt",
"netherlands",
"asn20446",
"highwinds3",
"page url",
"search live",
"api blog",
"docs pricing",
"tags",
"november",
"us summary",
"http",
"google safe",
"browsing",
"adware",
"xtrat",
"firehol",
"microsoft",
"control server",
"services",
"msil",
"hiloti",
"asn16509",
"amazon02",
"fastly",
"asn54113",
"prague",
"login",
"listen live",
"centura health",
"colorado jobs",
"eeo public",
"filing url",
"blacklist https",
"mimikatz",
"beach research",
"de indicators",
"copyright",
"gmbh version",
"follow",
"softcnapp",
"philadelphia",
"gamehack",
"value",
"line",
"variables",
"nreum",
"postrelease",
"url https",
"security tls",
"protocol h2",
"name value",
"scam",
"gesponsert url",
"outputldjh",
"oid2",
"uhis2",
"uh1200",
"uw1600",
"uah1200",
"uaw1600",
"ucd24",
"usd1",
"utz60",
"no data",
"coinminer",
"ip address",
"exchange",
"http attacker",
"states",
"jimburkedentistry",
"leder-family",
"adam lee",
"erika lee",
"malvertizing"
],
"references": [
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://tracks.theleders.family",
"photos.theleders.family",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"http://mobtrack.trkclk.net",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"nr-data.net",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"103.233.208.9 (CNC IP)",
"apex.jquery.com (scammer | works for who?)",
"api.useragentswitch.com",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"dns.google (DNS client services - Doug Cole)",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"apple-dns.net",
"emails.redvue.com (apple DNS w/amvima)",
"142.250.180.4 (init.ess)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"freeimdatingsites.thomasdobo.eu",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"https://urlscan.io/domain/maxwam.tk",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Beach Research",
"display_name": "Beach Research",
"target": null
},
{
"id": "GameHack",
"display_name": "GameHack",
"target": null
},
{
"id": "States",
"display_name": "States",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "6562908e28e6cdc237fbf8db",
"export_count": 78,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1956,
"FileHash-SHA1": 867,
"FileHash-SHA256": 3751,
"URL": 10878,
"domain": 2914,
"hostname": 3520,
"CVE": 16
},
"indicator_count": 23902,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "889 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://www.hallrender.com/attorney/brian-sabey/#breadcrumb",
"https://sinister.ly/Thread-Apple-empty-box?page=13",
"Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords",
"TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service",
"If someone is believed to be a threat they have right to due process.",
"https://www.sweetheartvideo.com/tsara-brashears/ [Pin.It BotNet a Malicious Pinterest fraud service]",
"https://pin.it/ [Tsara Brashears Lesbian (libel) Botnetwork, libel]",
"photos.theleders.family",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"apex.jquery.com (scammer | works for who?)",
"http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/",
"www42.jhonisdead.com",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe",
"west-sca.duckdns.org",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"Target \u2192 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian (attached to Pinterest account)",
"poemhunter.com (Blacklisted.Target Tsara Brashears with relentless malvertizing attacks including, device hacking)",
"https://applemusic-spotlight.myunidays.com/US/en-US? (remote hacking)",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
"https://therahand.com",
"https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators",
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators",
"Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,",
"I am very upset. Whoever is doing this is sick.",
"000002f1558a89f29984934d511289491032f9e96a249c12f2f6d42678264114 (Notepad.exe - python initiated connection)",
"www.opencandy.com",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd",
"Can the DoD no questions asked target a SA victim",
"45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"emails.redvue.com (apple DNS w/amvima)",
"www.metrobyt-mobile.com (So very hacked. Should be shut down. No corporate headquarters. Malicious practices by many independent owners)",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile",
"https://hybrid-analysis.com/sample/66a840a853476a7b66a1202d7f21b28e71b94912341dee123345e620f41fda9d/6571d012385f14f31d0191ad",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"c.oooooooooo.ga (c.apple.com cdn)",
"apple.com. (malicious version/header)",
"114.114.114.114. (auto populated IP descriptions: tulach, brian sabey, apple, law)",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4 (Apple access hacktool \u2192init.ess.apple.com/Web0)",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=",
"https://urlscan.io/domain/maxwam.tk",
"www.socialimages.reputationdatabase.com",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Heavy malvertizing. Phishing m formerly named a Bot Network. )",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"http://45.159.189.105/bot/regex (Bot Command)",
"AS24961 MyLoc Managed IT AG",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"apple-dns.net",
"https://www.hallrender.com/attorney/brian-sabey/",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"rp.dudaran2.com [routerlogin.net to safebae.org]",
"Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook",
"https://www.apple.com/sitemap/",
"142.250.180.4 (init.ess)",
"https://www.hallrender.com/professional/kathy-l-thurston/ (phishing)",
"https://support.apple.com/en-us/HT201265. Targets (iOS ID)",
"https://meumundogay-com.sexogratis.page/locker",
"fb582cc7cfcfa64786caff627cc34ff7aedf7a97620d0cd2eb927d4bb3b7653d",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"00000000000.cloudfront.net",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"nr-data.net",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers",
"http://xd.x9.client.api.vpngate2.jp/api/?session_id=1773986324675443378",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"https://www.journaldev.com/41403/regex",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"applepaydayloans.com",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"BinBusyBox: 0x.un5t48l3.host",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"Remotewd.com devices",
"https://www.hallrender.com/2018/12/13/nationwide-emailed-bomb-threats-are-new-ransom-technique (target emailed bomb \"t\" threat, reported, dismissed)",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"http://ti.hicloudcam.com",
"151.101.0.84 US - United States Pinterest Botnet Command and Control Server - 23.62.46.21",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"drive.google.com/",
"DetectItEasy PE32 Installer: Inno Setup Module (6.0.0) [unicode] Compiler: Embarcadero Delphi (10.3 Rio) [Professional] Linker: Turbo Linker (2.25*,Delphi) [GUI32,signed] Overlay: Inno Setup Installer data",
"web2.westlaw.com (Malicious: Only targets Tsara Brashears & safebae.org/cyber stalking now deceased Daisy Coleman deceased, alleged suicide )",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"batchpublicrecords.westlaw.com",
"https://urldefense.us/v2/url?u=http-3A__support.apple.com_kb_HT2693&d=DwMGaQ&c=mcnPvAfk3Xtjyky7sc3uA24Vk9hJzQ1fEHisENJPWek&r=PjGDHIUs1kNE6nRUZrOEsufSDp8LBQ-SwHI1wE1Z0Qo&m=zBlvHUR-UT1fW5-53xrUtd5Uj5DBn30a-XGaqZ1lyWh4YCJi5SWOvg3tVORPEuat&s=OJ-NfystLux9f25c44kAAuBLCoTAo6gQJ7EMKHRlrCk&e=&data=05",
"FileHash-MD5\ted5c771224fbd6f9b2c0cf1e8cce09b5",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1%27 (malware hosting)",
"Ransomware: message.htm.com",
"prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022",
"alohatube.xyz (http://benjamin.xww.de/ porn malvertizing blame shift. Formerly property of Hall Render Brian Sabey)",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post",
"http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=4",
"acam-mdn.apple.com",
"There is fear in silence or speaking out",
"api.useragentswitch.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"applemusic-spotlight.myunidays.com",
"https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017",
"Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal",
"Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget",
"https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source",
"mobileaccess.intel.com",
"http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Data Analytics",
"FileHash-SHA256\t00000254e6344d34a1e4ef157cb01d8b7efa65c22c996f9dfe85e7482c6c86ab",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Other malicious Hall Render assets and attacks. This doesn't include evidence of physical, documented crimes against targets who may not know source)",
"http://www.Apple.com/quicktime/download/standalone.html",
"https://firebaseremoteconfig.googleapis.com/v1/projects/16163253122/namespaces/firebase:fetch (remote hacking)",
"103.233.208.9 (CNC IP)",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"http://mobtrack.trkclk.net",
"Target agreed and complied with all lie detector measures.",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839",
"http://alohatube.xyz/search/tsara-brashears",
"Roksit.net",
"Colorado maintains a public-facing police misconduct database via the state's",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"batchcourtexpressservicesqa.westlaw.com",
"https://www.anyxxxtube.net/media/favicon/apple",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"https://account.helix.com/activate/start",
"AS54113 Fastly Autonomous System aggregation for Pinterest United States Botnet Command and Control Server",
"us-west-2.es.amazonaws.com (pslicorp)",
"https://link.monetizer101.com/widget/code/dailystaruk.js",
"https://www.red-gate.com/products/smartassembly",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"(Can't access file- Malware infection files)",
"Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab",
"http://dreamsofspanking.com/scene/item/rosie-backlash-caning?utm_campaign=apr15",
"cobaltstrike4.tk | https://cobaltstrike4.tk:8443/include/template/isx.php",
"www.jamesbgriffinlaw.com (malicious host)",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"api.telegram.org",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Target \u2192 https://www.pinterest.com/pinkbuffalorun/ (EMOTET) Full control taken. True Board owner (a legitimate business) was likely very unaware Pinterest activities all flowed through the Dark Web. (Research shows over 5000 followers | 1 million visits per mo | more than 1 million pins re-pinned)",
"https://www.searchw3.com/",
"http://ax.itunes.apple.com/WebObjects/MZStoreServices.woa/ws/RSS/toppaidapplications/limit=10/xml",
"https://es.pornhat.com/models/the-sex-creator/",
"stagelight.pl (malicious/ pattern match)",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"fakecelebporno.com",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"init.ess.apple.com (remote hacking)",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"beacons.bcp.gvt.com",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://www.hallrender.com/service/antitrust/ ('t' process - targetsTsara Brashears)",
"widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"http://45.159.189.105/bot/online?guid=WALKER-PC&key=b73f03cae5752ff4c823f89de539b59754bc4e65d43970358b17bcf21fb6c4e5 (remote hacking)",
"https://thebrotherssabey.wordpress.com/",
"https://hybrid-analysis.com/sample/ba72877899dffe3cfb08ab3b61d24e45325f0c27f3cec81e88e9dcf3f84f7098",
"https://www.roseoubleu.fr/panier (phishing)",
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"www.dead-speak.com",
"http://45.159.189.105/bot/regex ( Laplas clipper, Password stealer. Tracks Tsara Brashears, devices, location, , behavior. Obsessive targeting & social engineering)",
"remote.telegrafix.com (remote hacking)",
"vortex-nlb-http2-fed-us-taut-purple.nr-data.net [Apple data, ransomed]",
"Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p",
"hallrender.com (Malware hosting DGA domain, malware hosting, social engineering , fraud services, threat hounds, cyber criminals, dangerous group)",
"init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)",
"www.pornhub.com (Targets Tsara Brashears. Pornography malvertizing, tagging)",
"http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"https://applepaydayloans.com/",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"https://hallrender.com/attorney/brian-sabey",
"talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"remote.haverhillcc.com (remote hacking)",
"hero9780.duckdns.org ( government.westlaw.com/house of mo)",
"https://1.1.1.1/login.html [login access to Brashears' Warp if applicable]",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"http://clipper.guru/bot/online?guid=WALKER-PC (remote hacking)",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Name : iveins.de Service : connect",
"192.124.249.187",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)",
"hallplan.vm05.iveins.de",
"Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"www.hallrender.com (malware hosting)",
"http://www.Apple.com/quicktime/download",
"7651508989a859a165a3e587268021e3ce3734b3e8711d06a101068c60dfdbbe ( Spyware| tsetup.2.4.4.exe | Downloader.Agent!1.E2F1 (CLASSIC) |Telegram Messenger Inc WeExtract malicious installation on targets media & devices)",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net",
"http://medlineplus.gov.https.sci-hub.st",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian ( tagging, malware campaign, Apple iOS password cracker, libel, straight female)",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront",
"Worm:Win32/Benjamin",
"https://tracking.crazyegg.com/clock?t=1701949195114&tk=09a1de462eccb2ebc17a566aec5ed8b4&s=331938&p=%2Fattorney%2Fbrian-sabey%2F&u=502212&v=618f8e048086160d46ee09468f987c3211863abb&f=hallrender.com%2Fattorney%2Fbrian-sabey&ul=https%3A%2F%2Fwww.hallrender.com%2Fattorney%2Fbrian-sabey%2F ( tracking tsra Brashears,tracking, clock app)",
"34bc869d2906198362a4346373ce5b94 (bpbd.portal.ov.bd/npfblock/2021-jpg.",
"http://init-p01st.push.apple.com/bag (remote hacking)",
"http://intel.net/.about.html",
"Files",
"Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"safebae.org (Skynet) Was now deceased Daisy Coleman a real person or actress in Audrey & Daisy? Tragic",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"init.ess.apple.com ( Code Script \u2022 MortalK)",
"http://tracks.theleders.family",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"http://pl.gov-zaloguj.info",
"Behavior Pattern Match Analysis",
"apple-aqo.com (1 DNSPod.net)",
"cpcontacts.webcamara.online",
"blackhat.store",
"https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512 (Mile High Media malvertizing relationship = subsidiary)",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://support.Apple.com/de",
"Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files",
"constellation.pcfrpegaservice.net (Pegasus related? idk)",
"(unsupported_iexplore exploit/redirect) https://www.pinterest.com/pin/mood--35536284546940000/ (Dark Web Trace)",
"https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js",
"192.124.249.53:80",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"https://poemhunter.com/tsara-brashears/",
"Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://alohatube.xyz/search/tsara-brashears (Formerly Botnetwork malvertizing campaign targeting Tsara Brashears crime victim. Now http. Benjamin. xww )",
"iamrobert.com Y.A.S.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"government.westlaw.com",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"If you find anything interesting please research it.",
"freeimdatingsites.thomasdobo.eu",
"Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu phishing and other cybercrime, serious cyber attacks)",
"firebaseremoteconfig.googleapis.com (remote hacking)",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"dns.google (DNS client services - Doug Cole)",
"https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://www.virustotal.com/graph/g682ab72ed7b14bc68948e2dbfc22be8f7b2a00a339eb490083e18dc764a618dd",
"http://www.hallrender.com/resources/blog (Malware hosting, malvertizing URL/ targets Tsara Brashears)",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"sentient.industries affects independent artists. Affects several others.",
"business-support.intel.com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"FileHash-SHA1\tf336b50f5cca2ddc0341e2c4001b419a830d27a5",
"https://www.hallrender.com/attorney/brian-sabey",
"http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409",
"http://ww1.tsx.org/_fd",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"https://search.app.goo.gl/?ofl",
"Bethseda Map - Yara Detections Delphi , InnoSetupInstaller",
"45.159.189.105 (Command and Control)",
"IP\u2019s Contacted: 192.124.249.187",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"http://link.monetizer101.com/widget/custom-2.0.2/templates/1",
"bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"https://www.milehighmedia.com/legal/2257 (exploit source | revenge porn)",
"artificial-legal-intelligence.com",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel (remote hacking/potentially maliciousRedTeam)",
"https://www.hallrender.com/wp-content/themes/Hall-Render/assets/js/minified/lazy_load-1.9.7-min.js?ver=3.0.1 (malware hosting)",
"http://45.159.189.105/bot/regex (tracks Tsara Brashears)",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net (BitCoin Aussie)",
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"http://apple.helptechnicalsupport.com/favicon.ico",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"M. Brian Sabey Hall Render Malicious & Dangerous Threat Actor",
"NSO Pegasus",
"COINBASECARTEL"
],
"malware_families": [
"Gen:variant.razy",
"Alf:program:opencandy:remnant",
"Win64:trojanx",
"Trojan:msil/clipbanker",
"Generic.malware",
"Win.trojan.bulz-9860169-0",
"Win.trojan.jorik-149",
"Anonymizer",
"Relic",
"Suppobox",
"W32.hack.generic",
"Artemis",
"Undefined 1\tms 1\txyz 1\tgl 1\tnet tld aggregation com ms xyz gl net 20% 20% 20% 20% 20% tld\tcount com\t1 undefined\tnan ms\t1 xyz\t1 gl\t1 net\t1 combined blacklist timeline hybrid-analysis maltiverse resea",
"Malicious.22a4c0",
"Trojan:win32/tiggre!rfn",
"Psw.generic13",
"Nid",
"Win.trojan.fakecodecs-119",
"Malware_download\tsuspicious.low.ml 2\tmalicious.moderate.ml 1\tunsafe.ai_score_98% 1\tmobigame 1\tbanker,evasive,retefe 1\tprogram.unwanted 1\tmalicious.high.ml 1\tkryptik.dawvk 1\tunsafe.ai_score_91% 1\tadwar",
"Skynet",
"Sabey",
"Dropper.binder",
"Win.malware.midie-6847892-0",
"#lowfi:hstr:msil/malicious.decryption",
"Emotet",
"Dotnet",
"Babar",
"Virtool:msil/covent.a",
"Formbook",
"Win.trojan.generic-6417450-0",
"Win.packed.razy-9785185-0",
"Trojan.html.agent",
"Cobalt strike - s0154",
"Keyloggers",
"E5",
"Pws:msil/steam",
"Msil:agent-dq\\ [trj]",
"Apnic",
"Trojan:win32/floxif.e",
"Alf:heraklezeval:trojan:win32/ymacco.aa47",
"Tel:trojan:win32/emotet",
"Win.trojan.generic-9862772-0",
"#lowfi:siga:trojanspy:msil/keylogger",
"Njrat",
"Lockbit",
"Win.packed.fecn-7077459-0",
"Win32.pdf.alien",
"Trojan:win32/wacatac",
"Win.packed.msilperseus-9956592-0",
"Hacktool:win32/autokms",
"Other malware",
"Kelihos",
"Ml.generic",
"Win32:malob-db\\ [cryp]",
"Mbt",
"Sonbokli",
"Win.trojan.adinstall-2",
"Ransom",
"Uztuby",
"Legacy.trojan.agent-37025",
"Win.trojan.generic-9801687-0",
"Backdoor:msil/bladabindi.aj gc!",
"Win.trojan.nanocore-5",
"Win32/nemucod",
"Trojan:win32/gandcrab",
"Other dangerous malware",
"Luhe.fiha.a",
"Ascii exploit",
"Gamehack",
"Et",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Win.dropper.njrat-10015886-0",
"Win.malware (30)",
"Behav",
"Trojandropper:win32/muldrop.v!mtb",
"Trojan:win32/pynamer!rfn",
"Mydoom",
"Gen:variant.bulz",
"Invoke-mimikatz",
"Ramnit",
"Win.malware.bzub-6727003-0",
"Backdoor:msil/bladabindi.aj",
"Gamehack.dr",
"Pua.optimizerpro/pcoptimizerpro",
"Trojandropper:win32/muldrop",
"Win.virus.virlock-6804475-0",
"Silk",
"Atros.upk",
"Backdoor:asp/chopper.f!dha",
"Pws",
"Malware.generic",
"Trojan.generic",
"Redline",
"Generic.31fcc75f",
"#lowfienabledtcontinueafterunpacking",
"Nufs_inno",
"Wannacry kill switch",
"Mirai",
"Trojan:msil/ranos.a",
"Tel:delphi/obfuscator",
"Zeus",
"Pegasus",
"Trojan:win32/toga",
"Webtoolbar",
"Trojan:win32/glupteba.mt!mtb",
"Malware",
"Freemake",
"China telecom",
"Trojan:win32/tiggre",
"Vitzo",
"Redline stealer",
"Tofsee",
"Generic",
"Win.downloader.109205-1",
"Trojan:win32/zombie.a",
"Win.packed.generic-9795615-0\t.",
"Domains",
"Beach research",
"Zbot",
"#lowfi:hstr:msil/malicious",
"Inmortal",
"Fakeav.for",
"Php.exploit.c99-27",
"Alf:backdoor:msil/noancooe.ka",
"Exploit:js/cve-2014-0322",
"Alf:jasyp:pua:win32/bibado",
"Win32:downloader-gjk\\ [trj]",
"Maltiverse",
"Laplasclipper",
"Backdoor.mokes",
"Ubot",
"Win.packed.generic-9795615-0",
"Trojanspy",
"Qvm20.1.8d80.malware",
"Virtool:msil/covent",
"Win.malware.kolab-9885903-0",
"Elf:gafgyt-dz\\ [trj]",
"Adware.dropware",
"Script exploit",
"Slfper:installcore",
"Trojan.ransom.generickd",
"Cve-2025-11727",
"Proxy",
"Ransomware",
"Trojan:win32/zbot.sibl!mtb",
"Qbot",
"Cl0p",
"Rms",
"Gopher",
"Win.trojan.jorik-130",
"Redirector",
"Hsbc",
"Generic.asmalws malicious_confidence_70% 1\til:trojan.msilzilla 1\tfilerepmalware 1\transom.sabsik 1\tbehaveslike.dropper 1\tmicrosoft phishing 1\tbackdoor.mokes 1\tphishing bank of america corporat",
"Sdbot.caoc",
"Trojan:win32/blihan.a",
"Ver",
"Worm:win32/benjamin",
"#hstr:hacktool:win32/mimikatz",
"Unix.trojan.mirai-5607483-0",
"#lowfi:hstr:msil/obfuscator.deepsea",
"Custom malware",
"Xanfpezes.a",
"Alf:trojan:win32/formbook",
"Virtool:win32/obfuscator.ki",
"Ddos:win32/stormser.a",
"Win.trojan.agent-306281",
"States",
"Trojan.ole2.vbs",
"Worm:win32/netsky",
"Adwaresig [adw] ml.generic",
"Win32:malware",
"Gen:variant.zusy",
"Elf:mirai-gh\\ [trj]",
"Sodin ransomware",
"Alf:heraklezeval:trojandownloader:html/adodb!rfn",
"Tulach",
"#lowfidetectsvmware",
"Alf:hstr:dotnet",
"Phish.ab"
],
"industries": [
"Health",
"Oil",
"Education"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "6a126fcffc60a71dfab01f24",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:32:22.109000",
"created": "2026-05-24T03:26:07.144000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4130,
"URL": 11958,
"hostname": 4644,
"domain": 4304,
"FileHash-MD5": 2256,
"FileHash-SHA1": 1161,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1,
"IPv6": 4,
"IPv4": 6
},
"indicator_count": 28500,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6a126fcc3620af2edeb95e57",
"name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs",
"description": "",
"modified": "2026-05-24T03:26:04.439000",
"created": "2026-05-24T03:26:04.439000",
"tags": [
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"headers",
"expired",
"acceptencoding",
"html info",
"title home",
"tags viewport",
"trackers google",
"tag manager",
"gsddf3d2bzf",
"historical ssl",
"referrer",
"december",
"formbook",
"round",
"apple ios",
"tsara brashears",
"unlocker",
"collection",
"vt graph",
"socgholish",
"blister",
"hacktool",
"hiddentear",
"gootloader",
"agent tesla",
"crypto",
"installer",
"life",
"malware",
"open",
"korplug",
"tofsee",
"date",
"name servers",
"status",
"passive dns",
"urls",
"scan endpoints",
"all scoreblue",
"pulse submit",
"url analysis",
"files",
"no data",
"tag count",
"analyzer threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"heur",
"cisco umbrella",
"alexa top",
"million",
"site",
"alexa",
"maltiverse",
"xcnfe",
"safe site",
"phishing",
"remcos",
"malicious",
"miner",
"bank",
"agenttesla",
"agent",
"unknown",
"downloader",
"unsafe",
"trojan",
"detplock",
"artemis",
"networm",
"win64",
"redline stealer",
"limerat",
"venom rat",
"trojanspy",
"tld count",
"png image",
"jpeg image",
"rgba",
"exif standard",
"tiff image",
"pattern match",
"ascii text",
"united",
"jfif",
"sha1",
"core",
"general",
"starfield",
"hybrid",
"local",
"encrypt",
"click",
"strings",
"adobea",
"daga",
"as30148 sucuri",
"td tr",
"search",
"span td",
"as44273 host",
"creation date",
"a domains",
"xtra",
"meta",
"back",
"verdict",
"domain",
"aaaa",
"as15169 google",
"asnone united",
"nxdomain",
"sucuri security",
"a li",
"span",
"class",
"body",
"sucuri website",
"a div",
"authority",
"record value",
"showing",
"gmt content",
"x sucuri",
"high",
"related pulses",
"show",
"guard",
"entries",
"win32",
"west domains",
"next",
"ipv4",
"asnone germany",
"object",
"com cnt",
"dem fin",
"gov int",
"nav onl",
"phy pre",
"formbook cnc",
"checkin",
"found",
"error",
"code",
"create c",
"read c",
"delete",
"write",
"default",
"dock",
"execution",
"copy",
"xport",
"firewall",
"body doctype",
"section",
"dcrat",
"analyzer paste",
"iocs",
"hostnames",
"url https",
"blacklist",
"cl0p ransomware",
"zbot",
"malware site",
"team memscan",
"cl0p",
"algorithm",
"data",
"v3 serial",
"number",
"cus starizona",
"cngo daddy",
"g2 validity",
"subject public",
"key info",
"certificate",
"whois lookup",
"netrange",
"nethandle",
"net192",
"net1920000",
"as174",
"as3257",
"sucuri",
"sucur2",
"verisign",
"whois database",
"server",
"registrar abuse",
"icann whois",
"whois status",
"registrar iana",
"form",
"temple",
"first",
"android",
"win32 exe",
"html",
"bobby fischer",
"office open",
"detections type",
"name",
"pdf dealer",
"price list",
"pdf my",
"crime",
"taiwan unknown",
"as3462",
"as131148 bank",
"as21342",
"all search",
"otx scoreblue",
"pulse pulses",
"cname",
"as22612",
"as43350 nforce",
"win32upatre jun",
"expiration date",
"hostname",
"lowfi",
"date hash",
"avast avg",
"date checked",
"url hostname",
"server response",
"google safe",
"results jun",
"files show",
"registrar",
"china unknown",
"title",
"network",
"fakedout threat",
"urls http",
"maltiverse safe",
"malicious url",
"team",
"phishtank",
"services",
"botnet command",
"control server",
"mining",
"betabot",
"team malware",
"engineering",
"stealer",
"service",
"vawtrak",
"virut",
"emotet",
"simda",
"redline",
"fri oct",
"media sharing",
"known infection source",
"bot networks",
"malware",
"malware repository",
"spyware"
],
"references": [
"https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/",
"ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,",
"Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]",
"https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities",
"Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint",
"Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self",
"Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect",
"IP\u2019s Contacted: 192.124.249.187",
"Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin",
"Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile",
"Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities",
"www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=",
"www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Cl0p",
"display_name": "Cl0p",
"target": null
},
{
"id": "RedLine",
"display_name": "RedLine",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6688e0ffb31d4881f3238713",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4080,
"URL": 11952,
"hostname": 4638,
"domain": 4301,
"FileHash-MD5": 2236,
"FileHash-SHA1": 1140,
"CVE": 8,
"SSLCertFingerprint": 20,
"email": 8,
"CIDR": 1
},
"indicator_count": 28384,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "9 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e940361a6e8be7e02ffe5d",
"name": "URL_File_Delivery clone by octoseek",
"description": "",
"modified": "2026-05-22T23:04:42.859000",
"created": "2026-04-22T21:40:06.671000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "64d9d1b920c9b43c1885b2e4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1644,
"domain": 386,
"hostname": 535,
"FileHash-SHA256": 609,
"email": 5,
"URI": 9,
"FilePath": 1,
"FileHash-SHA1": 8,
"FileHash-MD5": 24
},
"indicator_count": 3221,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6951f52a5af00a9be445ad41",
"name": "Mirai - HoneyPot | Pegasus | Therahand HoneyPot Bot Network",
"description": "A HoneyPot Bot Network created to protect a criminal who worked for a company formerly known as Therahand Wellness. This company employed an unquestioned but admittedly guilty SA\u2019r. | Name tactics used in an attempt to draw in victims to leave truthful negative reviews about Jeffrey Reimer | The website is extremely malicious. NSO Pegasus & Palantir relationship.\n\nWhat a pity there is no work done in the state of Colorado to convict medical unprofessionals unless they are poor assistants , Latin, African American or , Native. | Colorado has a known race issue. \n\nColorado ranks poor for getting rape kits tested.\nPoor possibly outranking Baltimore,MD in police brutality. \nPoor at solving it attempting to solve crimes. Law enforcement literally collects paper, evidence and turns evidence away at times. \n\nThis system allows the actual criminal\nto track victim.\nIf he wants to be the victim of this crime against persons let him be. \n\n *Pegasus & Israel and 99% of all tags auto populated by OTX.",
"modified": "2026-01-28T02:03:16.337000",
"created": "2025-12-29T03:27:38.183000",
"tags": [
"no expiration",
"expiration",
"url http",
"url https",
"iocs",
"enter source",
"url or",
"name servers",
"a domains",
"accept encoding",
"urls",
"emails",
"servers",
"url add",
"http",
"files domain",
"files related",
"related tags",
"united",
"gmt contenttype",
"ipv4 add",
"url analysis",
"files",
"present dec",
"cname",
"virtool",
"cryp",
"ip address",
"trojan",
"win32",
"therahand",
"jeffrey reimer",
"reimer dpt",
"msie",
"chrome",
"unknown ns",
"unknown cname",
"record value",
"accept",
"encrypt",
"passive dns",
"moved",
"wp engine",
"meta",
"wordpress",
"pegasus",
"america flag",
"america asn",
"reverse dns",
"flag",
"bad traffic",
"et info",
"tls handshake",
"failure",
"analysis",
"tor analysis",
"dns requests",
"united states",
"hostname",
"pulse submit",
"domain",
"files ip",
"eva lisa",
"eva reimer",
"all ipv4",
"dynamic_content",
"fingerprinting",
"size",
"pattern match",
"mitre att",
"ck id",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"status",
"hostname add",
"evasion",
"proximity",
"pulse pulses",
"address",
"learn",
"adversaries",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"command",
"initial access",
"spawns",
"present mar",
"present jun",
"title",
"windows nt",
"wow64",
"slcc2",
"media center",
"data recovery",
"ms windows",
"process32nextw",
"intel",
"pe32",
"format",
"mozilla",
"installcapital",
"generic",
"write",
"unknown",
"malware",
"next",
"installer",
"template",
"div div",
"request blocked",
"helvetica neue",
"helvetica segoe",
"ui arial",
"script script",
"pragma",
"port",
"destination",
"binbusybox",
"high",
"post",
"icmp traffic",
"dns query",
"newstatusurl",
"mirai",
"prefetch8",
"ck matrix",
"localappdata",
"info",
"ssl certificate",
"czech republic",
"prefetch1",
"prefetch2",
"israel israel",
"analysis tip",
"href",
"ascii text",
"null",
"refresh",
"span",
"iframe",
"error",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"beginstring",
"windir",
"openurl c",
"programfiles",
"related nids",
"files location",
"flag united",
"dynamicloader",
"medium",
"named pipe",
"win64",
"download",
"delphi",
"smartassembly",
"m. brian sabey",
"quasi government",
"no such agency",
"facebook",
"search",
"date",
"showing",
"ukraine",
"\u2018buzz\u2019",
"alex karp",
"peter theil",
"elon musk",
"ff d5",
"yara rule",
"ee fc",
"generic http",
"exe upload",
"f0 ff",
"eb e1",
"ff bb",
"show process",
"sha1",
"sub domain",
"show technique",
"network traffic",
"class",
"starfield",
"cyber crime",
"yara detections",
"top source",
"top destination",
"source source",
"filehash",
"sha256 add",
"av detections",
"ids detections",
"alerts",
"show",
"dock",
"execution",
"present feb",
"value",
"content type",
"mirai",
"sha256",
"body",
"gmt content",
"ddos",
"mtb sep",
"hosting",
"domain robot",
"expiration date",
"welcome",
"apple",
"christopher p. ahmann",
"tsara",
"monitored target",
"github https",
"github",
"smart assembly",
"red hat",
"hackers",
"google"
],
"references": [
"https://therahand.com",
"www.socialimages.reputationdatabase.com",
"Mirai: Yara Detections SUSP_ELF_LNX_UPX_Compressed_File , UPX , ELFHighEntropy , ElfUPX , elf_empty_sections",
"Alerts: dead_host network_icmp nolookup_communication p2p_cnc",
"Israel : https://tollfreeforwarding.com/virtual-phone-number/israel/360 \u2022 siteassets.parastorage.com",
"Palantir \u2022 NSO Group \u2022 Meta \u2022 Douglas County Sheriff \u2022 Palantir \u2022 Foundry \u2022 Therahand \u2022 Graphite \u2022 US .Government",
"Christopher P. \u2018Buzz\u2019 Ahmann \u2022 No Such Agency \u2022 Hall Render Brian Sabey via Therahand",
"https://hybrid-analysis.com/sample/489b309feb70c5267454229633f4eae3a98112498da2f78b1819ec343d938867/6951ab3dc7cfb38abf021a06",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"https://hybrid-analysis.com/sample/fecd023f35b153f1c71353834588a545d312da5c78ec0bba9bc10d93c3490f5e",
"BinBusyBox: 0x.un5t48l3.host",
"ASN: 213.202.211.188\u2022 0x.un5t48l3.host \u2022 srv1354.dedicated.server-hosting.expert Germany",
"AS24961 MyLoc Managed IT AG",
"PSI | Planned Systems International https://www.plan-sys.com/cyber",
"Smart Assembly | https://github.com/red-gate/SmartAssembly-demo",
"https://www.red-gate.com/products/smartassembly",
"https://cdphe.colorado.gov/sexual-violence-prevention/sexual-violence-prevention-statistics-resources",
"Colorado maintains a public-facing police misconduct database via the state's",
"Peace Officer Standards and Training (POST) Board website, available at post.coag.gov.",
"Sexual Assault against both Men and Women in the State of Colorado leads the nation. Great work!"
],
"public": 1,
"adversary": "NSO Pegasus",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FakeAV.FOR",
"display_name": "FakeAV.FOR",
"target": null
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "Win.Trojan.Agent-306281",
"display_name": "Win.Trojan.Agent-306281",
"target": null
},
{
"id": "VirTool:Win32/Obfuscator.KI",
"display_name": "VirTool:Win32/Obfuscator.KI",
"target": "/malware/VirTool:Win32/Obfuscator.KI"
},
{
"id": "Win32:MalOb-DB\\ [Cryp]",
"display_name": "Win32:MalOb-DB\\ [Cryp]",
"target": null
},
{
"id": "ELF:Mirai-GH\\ [Trj]",
"display_name": "ELF:Mirai-GH\\ [Trj]",
"target": null
},
{
"id": "ELF:Gafgyt-DZ\\ [Trj]",
"display_name": "ELF:Gafgyt-DZ\\ [Trj]",
"target": null
},
{
"id": "Unix.Trojan.Mirai-5607483-0",
"display_name": "Unix.Trojan.Mirai-5607483-0",
"target": null
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1432",
"name": "Access Contact List",
"display_name": "T1432 - Access Contact List"
},
{
"id": "T1036.005",
"name": "Match Legitimate Name or Location",
"display_name": "T1036.005 - Match Legitimate Name or Location"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1023",
"name": "Shortcut Modification",
"display_name": "T1023 - Shortcut Modification"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 523,
"FileHash-SHA1": 402,
"FileHash-SHA256": 2165,
"URL": 4953,
"domain": 1118,
"hostname": 1951,
"email": 12,
"SSLCertFingerprint": 52,
"CVE": 2
},
"indicator_count": 11178,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 146,
"modified_text": "125 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "140 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6935c92c5fc93fd873c6aa6d",
"name": "[COINBASECARTEL] - Ransomware Victim: Cinvestav - RedPacket Security | CVE-2025-11727 (New)",
"description": "Related to multiple exploits. Government Cyber Defense implications but shows as very legitimate looking masquerading. I am not positive and don\u2019t want to move to Belfast. Populated NSA [.] gov domains and subdomains (w/o no headers) lightly researched but does not assert a government identity. \n*New CVE-2025-11727",
"modified": "2026-01-06T18:04:02.620000",
"created": "2025-12-07T18:36:28.055000",
"tags": [
"memcommit",
"read c",
"t1082",
"cryptexportkey",
"invalid pointer",
"write",
"msil",
"malware",
"media",
"autorun",
"countries",
"united",
"america",
"high defense",
"evasion",
"t1055",
"ck technique",
"technique id",
"allocates",
"potential code",
"attempts",
"threatintel",
"dark web",
"coinbasecartel",
"ransomware",
"osint",
"tor",
"data breach",
"cinvestav",
"ai generated",
"ransomware leak",
"page",
"november",
"investigacin y",
"nacional",
"mexican",
"mexico",
"present nov",
"verdana",
"td tr",
"passive dns",
"ip address",
"urls",
"aaaa",
"present may",
"present oct",
"present jul",
"virtool",
"present sep",
"present jun",
"win32",
"default",
"unicode",
"png image",
"rgba",
"high",
"dock",
"execution",
"xport",
"unknown",
"data upload",
"extraction",
"will",
"data",
"name cloudflare",
"hostmaster name",
"org cloudflare",
"townsend st",
"city san",
"us creation",
"kelihos",
"ipv4",
"present dec",
"files",
"domain",
"search",
"hostname",
"verdict",
"location united",
"asn as16625",
"akamai",
"urls show",
"date checked",
"url hostname",
"server response",
"google safe",
"results nov",
"present aug",
"backdoor",
"msie",
"chrome",
"trojan",
"mtb aug",
"worm",
"cryp",
"junkpoly",
"twitter",
"trojandropper",
"title",
"germany unknown",
"ipv4 add",
"pulse pulses",
"hosting",
"reverse dns",
"cologne",
"search engine",
"gse compromised",
"redacted for",
"privacy admin",
"privacy tech",
"server",
"organization",
"street",
"city",
"stateprovince",
"postal code",
"country",
"resolver domain",
"cape sa",
"virustot",
"type pdf",
"name",
"lookups",
"email abuse",
"historical ssl",
"certificates",
"first",
"graph summary",
"cname",
"address",
"ip2location",
"bogon ip",
"admin",
"network",
"wifi password",
"ssid",
"demo",
"details",
"failed",
"include review",
"exclude sugges",
"onlv",
"x try",
"find s",
"typ url",
"url data",
"severity att",
"module load",
"icmp traffic",
"dns query",
"t1055 jseval",
"windows nt",
"port",
"entries",
"destination",
"medium",
"show",
"pecompact",
"june",
"service",
"next",
"xserver",
"encrypt",
"t1129",
"windows module",
"dlls",
"convention",
"windows native"
],
"references": [
"Search Engines \u2022 Browser Extensions | Google.com.? | Duck DNS",
"Related : Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"hallplan.vm05.iveins.de",
"https://otx.alienvault.com/pulse/65b85faa9b8e3e1206d7f25c",
"Masquerading as? : bitcoin-king.nsa.mx \u2022 cpcontacts.nsa.mx \u2022 vulkanslot-bet777.nsa.mx",
"Name : iveins.de Service : connect",
"https://www.redpacketsecurity.com/coinbasecartel-ransomware-victim-cinvestav \u2022 evilginx.redpacketsecurity.com",
"phish-demo-poc.phish-demo-poc.redpacketsecurity.com \u2022 phish-demo-poc.redpacketsecurity.com",
"https://otx.alienvault.com/indicator/cve/CVE-2025-11727"
],
"public": 1,
"adversary": "COINBASECARTEL",
"targeted_countries": [
"United States of America",
"Sweden",
"Bangladesh",
"Japan"
],
"malware_families": [
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "MSIL:Agent-DQ\\ [Trj]",
"display_name": "MSIL:Agent-DQ\\ [Trj]",
"target": null
},
{
"id": "VirTool:MSIL/Covent.A",
"display_name": "VirTool:MSIL/Covent.A",
"target": "/malware/VirTool:MSIL/Covent.A"
},
{
"id": "Trojan:Win32/Pynamer!rfn",
"display_name": "Trojan:Win32/Pynamer!rfn",
"target": "/malware/Trojan:Win32/Pynamer!rfn"
},
{
"id": "Win64:TrojanX",
"display_name": "Win64:TrojanX",
"target": null
},
{
"id": "VirTool:MSIL/Covent",
"display_name": "VirTool:MSIL/Covent",
"target": "/malware/VirTool:MSIL/Covent"
},
{
"id": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"display_name": "#Lowfi:HSTR:MSIL/Obfuscator.Deepsea",
"target": null
},
{
"id": "Win32:Malware",
"display_name": "Win32:Malware",
"target": null
},
{
"id": "Kelihos",
"display_name": "Kelihos",
"target": null
},
{
"id": "CVE-2025-11727",
"display_name": "CVE-2025-11727",
"target": null
},
{
"id": "Exploit:JS/CVE-2014-0322",
"display_name": "Exploit:JS/CVE-2014-0322",
"target": "/malware/Exploit:JS/CVE-2014-0322"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1098",
"name": "Account Manipulation",
"display_name": "T1098 - Account Manipulation"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
}
],
"industries": [
"Education"
],
"TLP": "white",
"cloned_from": null,
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 144,
"FileHash-SHA1": 117,
"FileHash-SHA256": 1746,
"URL": 5018,
"hostname": 1827,
"domain": 1072,
"CVE": 3,
"email": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9938,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "146 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692d02f096f3ec8b5b507496",
"name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace",
"description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.",
"modified": "2025-12-31T02:01:50.101000",
"created": "2025-12-01T02:52:32.483000",
"tags": [
"business",
"enterprise",
"drive",
"english",
"google drive",
"try drive",
"business small",
"workspace",
"sign",
"strong",
"find",
"life",
"tools",
"protect",
"cloud",
"simple",
"android",
"indonesia",
"video",
"mb download",
"shared may",
"shared",
"learn",
"drive drive",
"name date",
"javascript",
"dynamicloader",
"medium",
"minimal headers",
"high",
"observed get",
"get http",
"united",
"yara rule",
"http",
"write",
"guard",
"malware",
"read c",
"ms windows",
"intel",
"png image",
"rgba",
"pe32",
"get na",
"explorer",
"music",
"virlock",
"media",
"ho chi",
"minh city",
"viet nam",
"storage company",
"limited",
"google",
"address as",
"luutruso",
"cloudflar",
"domain",
"asn15169",
"asn56153",
"asn13335",
"cisco",
"umbrella rank",
"apex domain",
"url https",
"kb stylesheet",
"kb font",
"kb image",
"image",
"kb script",
"november",
"resource path",
"size",
"type mimetype",
"primary request",
"redirect chain",
"kb document",
"urls",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"t1590 gather",
"windir",
"openurl c",
"prefetch2",
"tor analysis",
"dns requests",
"domain address",
"rsdsq jfu",
"ollydbg ollydbg",
"wireshark",
"external",
"binary file",
"mitre att",
"ck matrix",
"aaaa",
"cong ty",
"co phan",
"code",
"province hcm",
"files",
"ip address",
"request",
"flag",
"country",
"contacted hosts",
"process details",
"link initial",
"t1480 execution",
"domains",
"moved",
"gmt content",
"all ipv4",
"url analysis",
"location viet",
"title",
"error",
"problem",
"url add",
"related nids",
"files location",
"flag united",
"development att",
"name server",
"markmonitor",
"localappdata",
"programfiles",
"edge",
"hyundai",
"social engineering",
".mil",
"hackers",
"phishing eml",
"summary",
"cisco umbrella",
"google safe",
"browsing",
"current dns",
"a record",
"ip information",
"ipasns ip",
"detail domain",
"domain tree",
"links apex",
"transfer",
"b script",
"b stylesheet",
"frame b830",
"b document",
"value",
"december",
"degurafregistry",
"gat object",
"jsl object",
"gapijstiming",
"iframe function",
"domainpath name",
"nid value",
"source level",
"files domain",
"files related",
"tags",
"related tags",
"virustotal",
"foundry",
"pulse otx",
"dark",
"vietnam",
"present aug",
"present nov",
"present jul",
"present sep",
"unknown aaaa",
"search",
"name servers",
"present oct",
"trojan",
"data upload",
"extraction",
"se https",
"include review",
"exclude sugges",
"find s",
"failed",
"typ don",
"faith",
"study",
"romeo\u2019s",
"juliettes",
"femme fatales",
"strategy",
"honey pot",
"honey traps",
"spy",
"helix",
"anons",
"passive dns",
"pulse pulses",
"files ip",
"address",
"location united",
"asn as400519",
"whois registrar",
"ms defender",
"files matching",
"number",
"sample analysis",
"hide samples",
"date hash",
"cameras",
"cams",
"spycam",
"botnet",
"vietnam",
"company limited",
"dnssec",
"status",
"india unknown",
"present may",
"espionage",
"hostname add",
"generic",
"cnc activity",
"backdoor",
"ipv4",
"anonsecbotnet",
"iptv"
],
"references": [
"drive.google.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"zalo.me | href | Binary File | ATT&CK ID T1566.002",
"https://account.helix.com/activate/start",
"anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022",
"https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]",
"Terse Unencrypted Request for Google - Likely Connectivity Check",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6",
"cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com",
"https://hyundaibariavungtau3s.com/vehicle/stargazer",
"https://hyundaibariavungtau3s.com/vehicle/ioniq-5",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue",
"https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade",
"https://hyundaibariavungtau3s.com/vehicle/hyundai-custin",
"https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/",
"https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com",
"https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/",
"https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com",
"http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/",
"http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466",
"https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam",
"feedback-pa.clients6.google.com/v1/survey/trigger/",
"https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg",
"anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Virus.Virlock-6804475-0",
"display_name": "Win.Virus.Virlock-6804475-0",
"target": null
},
{
"id": "Win.Malware.Bzub-6727003-0",
"display_name": "Win.Malware.Bzub-6727003-0",
"target": null
},
{
"id": "Win.Trojan.Generic-9801687-0",
"display_name": "Win.Trojan.Generic-9801687-0",
"target": null
},
{
"id": "NID",
"display_name": "NID",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Floxif.E",
"display_name": "Trojan:Win32/Floxif.E",
"target": "/malware/Trojan:Win32/Floxif.E"
},
{
"id": "Win.Dropper.njRAT-10015886-0",
"display_name": "Win.Dropper.njRAT-10015886-0",
"target": null
},
{
"id": "Win.Packed.Generic-9795615-0",
"display_name": "Win.Packed.Generic-9795615-0",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ GC!",
"display_name": "Backdoor:MSIL/Bladabindi.AJ GC!",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!"
},
{
"id": "Win.Packed.Generic-9795615-0\t.",
"display_name": "Win.Packed.Generic-9795615-0\t.",
"target": null
},
{
"id": "Backdoor:MSIL/Bladabindi.AJ",
"display_name": "Backdoor:MSIL/Bladabindi.AJ",
"target": "/malware/Backdoor:MSIL/Bladabindi.AJ"
},
{
"id": "Win.Packed.Fecn-7077459-0",
"display_name": "Win.Packed.Fecn-7077459-0",
"target": null
},
{
"id": "Trojan:MSIL/Ranos.A",
"display_name": "Trojan:MSIL/Ranos.A",
"target": "/malware/Trojan:MSIL/Ranos.A"
},
{
"id": "Win.Trojan.Generic-6417450-0",
"display_name": "Win.Trojan.Generic-6417450-0",
"target": null
},
{
"id": "ALF:Backdoor:MSIL/Noancooe.KA",
"display_name": "ALF:Backdoor:MSIL/Noancooe.KA",
"target": null
},
{
"id": "Win.Packed.Msilperseus-9956592-0",
"display_name": "Win.Packed.Msilperseus-9956592-0",
"target": null
},
{
"id": "Trojan:MSIL/ClipBanker",
"display_name": "Trojan:MSIL/ClipBanker",
"target": "/malware/Trojan:MSIL/ClipBanker"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1194",
"name": "Spearphishing via Service",
"display_name": "T1194 - Spearphishing via Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1039",
"name": "Data from Network Shared Drive",
"display_name": "T1039 - Data from Network Shared Drive"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "T1444",
"name": "Masquerade as Legitimate Application",
"display_name": "T1444 - Masquerade as Legitimate Application"
},
{
"id": "T1567.002",
"name": "Exfiltration to Cloud Storage",
"display_name": "T1567.002 - Exfiltration to Cloud Storage"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1911,
"hostname": 714,
"FileHash-SHA256": 1304,
"FileHash-MD5": 159,
"FileHash-SHA1": 71,
"SSLCertFingerprint": 2,
"domain": 421,
"CVE": 1,
"email": 4
},
"indicator_count": 4587,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "153 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690e8b773dc39921d88abd44",
"name": "Nanocore - Affected",
"description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|",
"modified": "2025-12-07T23:02:29.645000",
"created": "2025-11-08T00:14:47.600000",
"tags": [
"hgnvastlaiz",
"read c",
"medium",
"rgba",
"memcommit",
"delete",
"png image",
"unicode",
"dock",
"execution",
"malware",
"crlf line",
"speichermedium",
"productversion",
"fileversion",
"engine dll",
"internalname",
"einstellungen",
"comodo ca",
"limited st",
"yara detections",
"next pe",
"eula",
"policy",
"direct",
"opencandy",
"suspicious_write_exe",
"network_icmp",
"process_martian",
"present jun",
"present jul",
"domain",
"united",
"ip address",
"unknown ns",
"ms windows",
"intel",
"verisign",
"time stamping",
"unknown",
"class",
"write",
"markus",
"temple",
"msie",
"windows nt",
"get http",
"lehash",
"av detections",
"ids detections",
"alerts",
"file score",
"low risk",
"compromised_site_redirector_fromcharcode",
"present aug",
"passive dns",
"all ipv4",
"urls",
"files",
"hosting",
"america flag",
"win32",
"ipv4 add",
"signed file, valid signature. revoked.",
"united states",
"pws",
"atros",
"fiha",
"search",
"entries",
"present oct",
"next associated",
"show",
"high",
"wow64",
"slcc2",
"next",
"domain add",
"poland",
"poland unknown",
"ipv4",
"location poland",
"poland asn",
"et policy",
"pe exe",
"dll windows",
"amazon s3",
"location united",
"associated urls",
"date checked",
"url hostname",
"server response",
"google safe",
"results feb",
"nanocore",
"url add",
"http",
"related nids",
"files location",
"flag united",
"malicious image",
"files domain",
"files related",
"pulses otx",
"related tags",
"resources whois",
"virustotal",
"present sep",
"status",
"present nov",
"present mar",
"trojan",
"script script",
"div div",
"link",
"a li",
"meta",
"sweden",
"invalid url",
"head title",
"title head",
"reference",
"bad request",
"server",
"netherlands",
"creation date",
"date",
"running server",
"ahmann",
"christopher",
"p",
"tam",
"legal",
"treece",
"alfrey",
"muscat",
"adversaries",
"cyber crime",
"quasi",
"government"
],
"references": [
"wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87",
"ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua",
"http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022",
"www.opencandy.com",
"http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022",
"Yara Detections : compromised_site_redirector_fromcharcode",
"Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx",
"pcoptimizerpro.com \u2022 www.pcoptimizerpro.com",
"PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23",
"YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform",
"https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg",
"https://heavyfetish.com/search/CHEESE-PIZZA-porn/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Nanocore-5",
"display_name": "Win.Trojan.Nanocore-5",
"target": null
},
{
"id": "Win.Trojan.Adinstall-2",
"display_name": "Win.Trojan.Adinstall-2",
"target": null
},
{
"id": "PSW.Generic13",
"display_name": "PSW.Generic13",
"target": null
},
{
"id": "Atros.UPK",
"display_name": "Atros.UPK",
"target": null
},
{
"id": "Luhe.Fiha.A",
"display_name": "Luhe.Fiha.A",
"target": null
},
{
"id": "Pua.Optimizerpro/PCOptimizerPro",
"display_name": "Pua.Optimizerpro/PCOptimizerPro",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1491.001",
"name": "Internal Defacement",
"display_name": "T1491.001 - Internal Defacement"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 753,
"FileHash-SHA1": 622,
"FileHash-SHA256": 4336,
"URL": 2448,
"domain": 300,
"hostname": 788,
"CVE": 1,
"email": 4
},
"indicator_count": 9252,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "176 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "192 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "docs.tw",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "docs.tw",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780409290.1668954
}