{ "type": "Domain", "indicator": "document.open", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/document.open", "alexa": "http://www.alexa.com/siteinfo/document.open", "indicator": "document.open", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2811798845, "indicator": "document.open", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "66a8fc31eef230721db4d064", "name": "Mid-year Doppelganger information operations in Europe and the US", "description": "This investigation delves into information operations conducted by Russian actors known as Doppelg\u00e4nger, focusing on their activities from early June to late-July 2024. It examines their tactics, associated infrastructure, and motivations, particularly in relation to the unexpected snap general election in France during this period. The analysis reveals a persistent and complex effort to disseminate disinformation through social media, impersonating legitimate news websites and employing intricate redirection chains. The operations primarily target conservative and nationalist sentiments, aiming to destabilize Western democracies by exploiting existing societal and political divisions.", "modified": "2025-08-07T12:51:05.434000", "created": "2024-07-30T14:44:01.273000", "tags": [ "redirection", "social media", "russian actors", "disinformation", "elections" ], "references": [ "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/" ], "public": 1, "adversary": "Doppelg\u00e4nger", "targeted_countries": [ "France", "Germany", "United States of America", "Ukraine", "Israel", "Poland", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 264, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 232, "domain": 419, "email": 1, "hostname": 23 }, "indicator_count": 676, "is_author": false, "is_subscribing": null, "subscriber_count": 377802, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811141c708261eb22d3a773", "name": "FileScan.io feed", "description": "", "modified": "2026-03-04T22:16:29.183000", "created": "2025-04-29T18:02:04.881000", "tags": [], "references": [ "https://www.filescan.io/api/feed/reports" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 681, "BitcoinAddress": 1, "FileHash-MD5": 1595, "FileHash-SHA1": 1569, "FileHash-SHA256": 1726, "domain": 116, "email": 60, "hostname": 99 }, "indicator_count": 5847, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68341d93e12cc9934920d926", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:51:47.680000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68301c551b7142ed4a4df383", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-22T06:00:07.389000", "created": "2025-05-23T06:57:25.188000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "302 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826d587a09f89d896230007", "name": "Treaty 7 CA - 05.15.25", "description": "Domain Analysis of hxxps://treaty7[.]org", "modified": "2025-06-15T06:04:18.939000", "created": "2025-05-16T06:04:55.416000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "contactus", "brandidwix", "ms429", "ts260", "browserlngen", "isca1", "iscf1", "ispd0", "ise0", "prefetch8 ansi", "ansi", "date", "show process", "threat level", "hash seen", "pcap processing", "sha256", "pcap", "command decode", "suspicious", "encrypt", "hybrid", "general", "comspec", "close", "click", "hosts", "path", "model", "strings", "contact", "javascript", "UAlberta", "Treaty7" ], "references": [ "https://www.filescan.io/uploads/6826cd18bff72ff46b64ee8c/reports/7036cd34-d101-4a91-b281-c2c4feeccee6/overview", "https://metadefender.com/results/url/aHR0cHM6Ly90cmVhdHk3Lm9yZw==", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923/6826cd9dd7197c59d908de0e", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f/iocs", "https://www.virustotal.com/graph/embed/g4ac79370897643149fd812849cb2fafc6752ce6598b44b4cb165360355d500eb?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 374, "hostname": 134, "FileHash-MD5": 83, "domain": 64, "email": 11, "FileHash-SHA1": 71, "FileHash-SHA256": 71, "SSLCertFingerprint": 9 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682196a15b1ef91898209047", "name": "Confederacy of Treaty 6 First Nations - 05.12.25", "description": "Domain Analysis of Treat 6", "modified": "2025-06-11T06:04:36.233000", "created": "2025-05-12T06:35:13.763000", "tags": [ "please", "javascript", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "namesilo", "redacted tech", "date", "redacted admin", "server", "key identifier", "country", "organization", "postal code", "stateprovince", "first", "code", "brandidwix", "isca1", "iscf1", "ispd0", "ise0", "ms623", "ts463", "browserlngen", "ms1540", "prefetch8 ansi", "ansi", "show process", "pcap processing", "hash seen", "pcap", "united", "programfiles", "ck id", "command decode", "suspicious", "encrypt", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "strings", "contact", "entity", "viewer", "UAlberta", "Alberta" ], "references": [ "https://www.virustotal.com/gui/domain/treatysix.org/details", "https://www.virustotal.com/gui/domain/treatysix.org/relations", "https://www.filescan.io/uploads/6821894cc7418694c8a8df79/reports/89adc027-4d41-4116-bf76-9503b674c065/overview", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637/68218c1713c2f8388e0e75a3", "https://www.virustotal.com/gui/collection/d3c43342b1c853ac13ccaefa147433f4a352472bd0c3d15c65b8e07270956694/iocs", "https://www.virustotal.com/graph/embed/ge6925a8998194559b7a3390d2024e2819bcba50a6e4741b790f4ffa8af7c0061?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 82, "FileHash-MD5": 31, "FileHash-SHA1": 24, "FileHash-SHA256": 32, "email": 19, "hostname": 132, "URL": 438, "SSLCertFingerprint": 13 }, "indicator_count": 771, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "313 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814ea4940291bbf76c52c7b", "name": "hxxps://www[.]treatysix[.]org/ - 05.02.25", "description": "Quick Analysis of hxxps://www[.]treatysix[.]org/ - 05.02.25 using VirusTotal, Filescan, Hybrid Analysis", "modified": "2025-06-01T15:01:43.382000", "created": "2025-05-02T15:52:41.629000", "tags": [ "please", "javascript", "entity", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ispd0", "ise0", "brandidwix", "ms483", "ts392", "browserlngen", "ms1099", "prefetch8 ansi", "date", "ansi", "show process", "threat level", "pcap processing", "hash seen", "pcap", "sha256", "programfiles", "suspicious", "encrypt", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "strings", "contact", "Treaty 6", "Treaty 8", "Alberta", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/summary", "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/iocs", "https://www.virustotal.com/graph/embed/g05c13c5ff4db4f6099edcae670421f3b79a83cdb39704b21bb8742f4ac357a25?theme=dark", "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20", "https://www.filescan.io/uploads/6814e799bab2591d065350da/reports/7f2bb6d9-65b4-486e-80a7-6105949fdc6e/overview", "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20/6814e75757ec43194f0f1110" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Education", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 45, "FileHash-SHA256": 83, "URL": 111, "hostname": 277, "domain": 46, "email": 18, "SSLCertFingerprint": 15 }, "indicator_count": 651, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d0c4cb716b88c464c666c3", "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios", "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "modified": "2025-05-15T09:15:39.493000", "created": "2024-08-29T18:58:19.338000", "tags": [ "Bios", "Virus", "Sucky", "Bluetooth", "CryptoMining", "Keylogging", "Crypto", "Euif", "Best", "Persistant", "Survives Reformat", "No Help", "Buy", "WhinySuckyBaby", "Squad", "Whiny", "Mark Monitor", "Digital Stalking", "Best Buy", "Baby", "w3.org", "Geek" ], "references": [ "", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Https://BiosVir.us", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 13, "follower_count": 0, "vote": 0, "author": { "username": "Jeff4Son", "id": "291365", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 420, "FileHash-SHA256": 966, "URL": 620, "domain": 531, "hostname": 1564, "email": 6, "SSLCertFingerprint": 13 }, "indicator_count": 4542, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676b5a7cd903a3fec3a68ba7", "name": "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview", "description": "We use cookies to store information on our website, but we do not store any personally identifiable data, so we may use them to monitor how we interact with your browser and send messages to our users.", "modified": "2025-05-14T21:23:57.367000", "created": "2024-12-25T01:06:04.499000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "nothreat osint", "znaleziono cz", "werdykt brak", "duration", "analytics", "reject all", "cookie ga", "file details", "url details", "rules extracted", "alexa" ], "references": [ "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-SHA256": 88, "domain": 8, "hostname": 16 }, "indicator_count": 182, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c6a841a3b4f6aafd1c3d", "name": "Mid-year Doppelganger information operations in Europe and the US", "description": "", "modified": "2025-01-16T08:43:20.646000", "created": "2025-01-16T08:43:20.646000", "tags": [ "redirection", "social media", "russian actors", "disinformation", "elections" ], "references": [ "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/" ], "public": 1, "adversary": "Doppelg\u00e4nger", "targeted_countries": [ "France", "Germany", "United States of America", "Ukraine", "Israel", "Poland", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1af7fa97122299b0eac5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 235, "domain": 419, "email": 1, "hostname": 26 }, "indicator_count": 682, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "512 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "512 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39656, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "521 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ab1af7fa97122299b0eac5", "name": "Mid-year Doppelganger information operations in Europe and the US", "description": "", "modified": "2024-08-29T14:02:18.012000", "created": "2024-08-01T05:19:51.580000", "tags": [ "redirection", "social media", "russian actors", "disinformation", "elections" ], "references": [ "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/" ], "public": 1, "adversary": "Doppelg\u00e4nger", "targeted_countries": [ "France", "Germany", "United States of America", "Ukraine", "Israel", "Poland", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66a8fc31eef230721db4d064", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 235, "domain": 419, "email": 1, "hostname": 26 }, "indicator_count": 682, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66598ad96834e6760e31bc38", "name": "Master of Puppets: Uncovering the DoppelG\u00e4nger pro-Russian influence campaign", "description": "", "modified": "2024-06-30T08:02:41.320000", "created": "2024-05-31T08:31:21.907000", "tags": [ "doppelgnger", "ukraine", "sekoia", "facebook", "instagram", "structura", "france", "germany", "viginum", "november", "meta", "keitaro", "august", "february", "april", "slovakia", "path", "voice", "munich", "kiev", "twitter", "embargo", "judge", "error", "june" ], "references": [ "https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 8, "domain": 28, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "659 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c231f263ca042121a81827", "name": "oracle is shocking", "description": "", "modified": "2022-08-03T00:05:10.569000", "created": "2022-07-04T00:18:58.267000", "tags": [ "span", "section", "button", "tbody", "script", "path", "java", "archive", "download", "cc02v0", "meta", "installer", "date", "iframe", "contact", "form", "service", "critical", "close", "alpha", "false", "click", "main", "energy", "life", "media", "write", "back", "widget", "tools", "protect", "april", "python", "ukraine", "indonesia", "middle", "facebook", "twitter" ], "references": [ "oracle com downl # java.pdf", "www.oracle.com - urlscan.io.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 956, "FileHash-SHA256": 237, "hostname": 197, "domain": 59, "FileHash-MD5": 2 }, "indicator_count": 1451, "is_author": false, "is_subscribing": null, "subscriber_count": 391, "modified_text": "1356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20", "", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f/iocs", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637/68218c1713c2f8388e0e75a3", "https://www.filescan.io/uploads/6814e799bab2591d065350da/reports/7f2bb6d9-65b4-486e-80a7-6105949fdc6e/overview", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923", "https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/", "https://www.virustotal.com/graph/embed/ge6925a8998194559b7a3390d2024e2819bcba50a6e4741b790f4ffa8af7c0061?theme=dark", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/summary", "https://www.virustotal.com/gui/collection/d3c43342b1c853ac13ccaefa147433f4a352472bd0c3d15c65b8e07270956694/iocs", "www.oracle.com - urlscan.io.pdf", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923/6826cd9dd7197c59d908de0e", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f", "https://metadefender.com/results/url/aHR0cHM6Ly90cmVhdHk3Lm9yZw==", "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled", "https://www.virustotal.com/graph/embed/g4ac79370897643149fd812849cb2fafc6752ce6598b44b4cb165360355d500eb?theme=dark", "oracle com downl # java.pdf", "https://www.filescan.io/uploads/6826cd18bff72ff46b64ee8c/reports/7036cd34-d101-4a91-b281-c2c4feeccee6/overview", "https://www.virustotal.com/gui/domain/treatysix.org/relations", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "https://www.filescan.io/api/feed/reports", "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/", "https://www.filescan.io/uploads/6821894cc7418694c8a8df79/reports/89adc027-4d41-4116-bf76-9503b674c065/overview", "https://www.virustotal.com/graph/embed/g05c13c5ff4db4f6099edcae670421f3b79a83cdb39704b21bb8742f4ac357a25?theme=dark", "Https://BiosVir.us", "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/iocs", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/gui/domain/treatysix.org/details", "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html", "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20/6814e75757ec43194f0f1110" ], "related": { "alienvault": { "adversary": [ "Doppelg\u00e4nger" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Doppelg\u00e4nger", "Insikt" ], "malware_families": [ "Hta hatvibe", "Cases prevent", "Hatvibe" ], "industries": [ "Technology", "Military", "Education", "Defense", "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "66a8fc31eef230721db4d064", "name": "Mid-year Doppelganger information operations in Europe and the US", "description": "This investigation delves into information operations conducted by Russian actors known as Doppelg\u00e4nger, focusing on their activities from early June to late-July 2024. It examines their tactics, associated infrastructure, and motivations, particularly in relation to the unexpected snap general election in France during this period. The analysis reveals a persistent and complex effort to disseminate disinformation through social media, impersonating legitimate news websites and employing intricate redirection chains. The operations primarily target conservative and nationalist sentiments, aiming to destabilize Western democracies by exploiting existing societal and political divisions.", "modified": "2025-08-07T12:51:05.434000", "created": "2024-07-30T14:44:01.273000", "tags": [ "redirection", "social media", "russian actors", "disinformation", "elections" ], "references": [ "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/" ], "public": 1, "adversary": "Doppelg\u00e4nger", "targeted_countries": [ "France", "Germany", "United States of America", "Ukraine", "Israel", "Poland", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 264, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 232, "domain": 419, "email": 1, "hostname": 23 }, "indicator_count": 676, "is_author": false, "is_subscribing": null, "subscriber_count": 377802, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811141c708261eb22d3a773", "name": "FileScan.io feed", "description": "", "modified": "2026-03-04T22:16:29.183000", "created": "2025-04-29T18:02:04.881000", "tags": [], "references": [ "https://www.filescan.io/api/feed/reports" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 681, "BitcoinAddress": 1, "FileHash-MD5": 1595, "FileHash-SHA1": 1569, "FileHash-SHA256": 1726, "domain": 116, "email": 60, "hostname": 99 }, "indicator_count": 5847, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68341d93e12cc9934920d926", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:51:47.680000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68301c551b7142ed4a4df383", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-22T06:00:07.389000", "created": "2025-05-23T06:57:25.188000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "302 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826d587a09f89d896230007", "name": "Treaty 7 CA - 05.15.25", "description": "Domain Analysis of hxxps://treaty7[.]org", "modified": "2025-06-15T06:04:18.939000", "created": "2025-05-16T06:04:55.416000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "contactus", "brandidwix", "ms429", "ts260", "browserlngen", "isca1", "iscf1", "ispd0", "ise0", "prefetch8 ansi", "ansi", "date", "show process", "threat level", "hash seen", "pcap processing", "sha256", "pcap", "command decode", "suspicious", "encrypt", "hybrid", "general", "comspec", "close", "click", "hosts", "path", "model", "strings", "contact", "javascript", "UAlberta", "Treaty7" ], "references": [ "https://www.filescan.io/uploads/6826cd18bff72ff46b64ee8c/reports/7036cd34-d101-4a91-b281-c2c4feeccee6/overview", "https://metadefender.com/results/url/aHR0cHM6Ly90cmVhdHk3Lm9yZw==", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923", "https://www.hybrid-analysis.com/sample/f610287a56377c483da68342ed21b75de3ac397000cb340115e6e41a1d16a923/6826cd9dd7197c59d908de0e", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f", "https://www.virustotal.com/gui/collection/c1e01a1edffa20b1f1ff7042606279ab45badb355ef02575b3dae4235755f13f/iocs", "https://www.virustotal.com/graph/embed/g4ac79370897643149fd812849cb2fafc6752ce6598b44b4cb165360355d500eb?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 374, "hostname": 134, "FileHash-MD5": 83, "domain": 64, "email": 11, "FileHash-SHA1": 71, "FileHash-SHA256": 71, "SSLCertFingerprint": 9 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682196a15b1ef91898209047", "name": "Confederacy of Treaty 6 First Nations - 05.12.25", "description": "Domain Analysis of Treat 6", "modified": "2025-06-11T06:04:36.233000", "created": "2025-05-12T06:35:13.763000", "tags": [ "please", "javascript", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "namesilo", "redacted tech", "date", "redacted admin", "server", "key identifier", "country", "organization", "postal code", "stateprovince", "first", "code", "brandidwix", "isca1", "iscf1", "ispd0", "ise0", "ms623", "ts463", "browserlngen", "ms1540", "prefetch8 ansi", "ansi", "show process", "pcap processing", "hash seen", "pcap", "united", "programfiles", "ck id", "command decode", "suspicious", "encrypt", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "strings", "contact", "entity", "viewer", "UAlberta", "Alberta" ], "references": [ "https://www.virustotal.com/gui/domain/treatysix.org/details", "https://www.virustotal.com/gui/domain/treatysix.org/relations", "https://www.filescan.io/uploads/6821894cc7418694c8a8df79/reports/89adc027-4d41-4116-bf76-9503b674c065/overview", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637", "https://www.hybrid-analysis.com/sample/11827b4935d0b3866afb6d04f6eb73eec196664f34c474ce48d0b10dbc087637/68218c1713c2f8388e0e75a3", "https://www.virustotal.com/gui/collection/d3c43342b1c853ac13ccaefa147433f4a352472bd0c3d15c65b8e07270956694/iocs", "https://www.virustotal.com/graph/embed/ge6925a8998194559b7a3390d2024e2819bcba50a6e4741b790f4ffa8af7c0061?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 82, "FileHash-MD5": 31, "FileHash-SHA1": 24, "FileHash-SHA256": 32, "email": 19, "hostname": 132, "URL": 438, "SSLCertFingerprint": 13 }, "indicator_count": 771, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "313 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814ea4940291bbf76c52c7b", "name": "hxxps://www[.]treatysix[.]org/ - 05.02.25", "description": "Quick Analysis of hxxps://www[.]treatysix[.]org/ - 05.02.25 using VirusTotal, Filescan, Hybrid Analysis", "modified": "2025-06-01T15:01:43.382000", "created": "2025-05-02T15:52:41.629000", "tags": [ "please", "javascript", "entity", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ispd0", "ise0", "brandidwix", "ms483", "ts392", "browserlngen", "ms1099", "prefetch8 ansi", "date", "ansi", "show process", "threat level", "pcap processing", "hash seen", "pcap", "sha256", "programfiles", "suspicious", "encrypt", "comspec", "hybrid", "model", "close", "click", "hosts", "general", "path", "strings", "contact", "Treaty 6", "Treaty 8", "Alberta", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/summary", "https://www.virustotal.com/gui/collection/f4bf8288a20959a4f6d04b1aaad6e3d7107a2f9a486d4386fbe3198defdd8ebb/iocs", "https://www.virustotal.com/graph/embed/g05c13c5ff4db4f6099edcae670421f3b79a83cdb39704b21bb8742f4ac357a25?theme=dark", "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20", "https://www.filescan.io/uploads/6814e799bab2591d065350da/reports/7f2bb6d9-65b4-486e-80a7-6105949fdc6e/overview", "https://www.hybrid-analysis.com/sample/835e4c142d9f3445570bba99aaa66cbecbe427b3a5df6af9158ae3963e096d20/6814e75757ec43194f0f1110" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Education", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 45, "FileHash-SHA256": 83, "URL": 111, "hostname": 277, "domain": 46, "email": 18, "SSLCertFingerprint": 15 }, "indicator_count": 651, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d0c4cb716b88c464c666c3", "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios", "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "modified": "2025-05-15T09:15:39.493000", "created": "2024-08-29T18:58:19.338000", "tags": [ "Bios", "Virus", "Sucky", "Bluetooth", "CryptoMining", "Keylogging", "Crypto", "Euif", "Best", "Persistant", "Survives Reformat", "No Help", "Buy", "WhinySuckyBaby", "Squad", "Whiny", "Mark Monitor", "Digital Stalking", "Best Buy", "Baby", "w3.org", "Geek" ], "references": [ "", "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806", "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150", "Https://BiosVir.us", "Https://BluetoothVirus.com", "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061", "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 13, "follower_count": 0, "vote": 0, "author": { "username": "Jeff4Son", "id": "291365", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 422, "FileHash-SHA1": 420, "FileHash-SHA256": 966, "URL": 620, "domain": 531, "hostname": 1564, "email": 6, "SSLCertFingerprint": 13 }, "indicator_count": 4542, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676b5a7cd903a3fec3a68ba7", "name": "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview", "description": "We use cookies to store information on our website, but we do not store any personally identifiable data, so we may use them to monitor how we interact with your browser and send messages to our users.", "modified": "2025-05-14T21:23:57.367000", "created": "2024-12-25T01:06:04.499000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "nothreat osint", "znaleziono cz", "werdykt brak", "duration", "analytics", "reject all", "cookie ga", "file details", "url details", "rules extracted", "alexa" ], "references": [ "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-SHA256": 88, "domain": 8, "hostname": 16 }, "indicator_count": 182, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6788c6a841a3b4f6aafd1c3d", "name": "Mid-year Doppelganger information operations in Europe and the US", "description": "", "modified": "2025-01-16T08:43:20.646000", "created": "2025-01-16T08:43:20.646000", "tags": [ "redirection", "social media", "russian actors", "disinformation", "elections" ], "references": [ "https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/" ], "public": 1, "adversary": "Doppelg\u00e4nger", "targeted_countries": [ "France", "Germany", "United States of America", "Ukraine", "Israel", "Poland", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1589.001", "name": "Credentials", "display_name": "T1589.001 - Credentials" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1af7fa97122299b0eac5", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 235, "domain": 419, "email": 1, "hostname": 26 }, "indicator_count": 682, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "459 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "document.open", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "document.open", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776717528.0167851 }