{ "type": "Domain", "indicator": "dodgit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dodgit.com", "alexa": "http://www.alexa.com/siteinfo/dodgit.com", "indicator": "dodgit.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "whitelist", "message": "Whitelisted domain dodgit.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3390097816, "indicator": "dodgit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6854082f2edb40c1c80b0831", "name": "JSDdelivr blocklist", "description": "", "modified": "2025-06-19T14:28:09.610000", "created": "2025-06-19T12:53:03.734000", "tags": [], "references": [ "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5675, "hostname": 171 }, "indicator_count": 5846, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 240, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7c9f6bf793f823e6398", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-12-06T16:56:41.266000", "created": "2023-12-06T16:56:41.266000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 1177, "FileHash-SHA256": 2150, "domain": 620, "URL": 3016, "FileHash-MD5": 519, "FileHash-SHA1": 292 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570802448b61f9a84f1ef6e", "name": "San Jose County Ca", "description": "", "modified": "2023-12-06T14:07:32.800000", "created": "2023-12-06T14:07:32.800000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1203, "FileHash-SHA256": 1906, "domain": 374, "URL": 62 }, "indicator_count": 3545, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e79f50ce42abe29702324", "name": "Qakbot attacks. As strong as before?", "description": "command and control\nRedlinestealer\nQakbot\nNoName057\nAzorult\nBlack Rat\nbrowser malware \nBanker\nTheft\nPhishing", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T08:55:16.736000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1a715b26eb6e3ff58875", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-30T02:52:33.136000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "651e79f50ce42abe29702324", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622136221b98e828da5b9d4e", "name": "San Jose County Ca", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T21:41:54.243000", "tags": [], "references": [ "San Jose County Ca.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1203, "domain": 374, "URL": 62, "FileHash-SHA256": 1906 }, "indicator_count": 3545, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1521 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "nr-data.net [Apple Private Data Collection]", "appleaustralia.com", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "http://images.contact.acams.org/", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "https://176.113.115.136/ohhiiiii/", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85", "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "adsl-074-168-130-217.sip.pns.bellsouth.net", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "San Jose County Ca.pdf", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "palantir-staging.staging.candidate.app.paulsjob.ai", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "pornhub.com\t \u2022 www.pornhub.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "NSO GROUP", "Qakbot" ], "malware_families": [ "Amadey", "Emotet", "Apnic", "Tofsee", "Trojan.agent.fryx", "Hallrender", "Skynet", "Nids", "Tulach", "Blacknet rat", "Sabey", "Pegasus", "Backdoor:win32/tofsee.t", "Worm:win32/ganelp.a", "Muldrop", "Mirai", "Trojan.redcap/python", "Mal_tofsee", "Win.packer.pkr_ce1a-9980177-0", "Possible", "Win32:acecrypter-b [cryp]", "Trojan.shellrunner/emailworm", "Ransom.stopcryptpmf." ], "industries": [ "Technology", "Government", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68be65e95645ef1a6c8a898d", "name": "Apple affected by Tofsee at least 4 remote devices. DEAD Apple products", "description": "Such a hacked device. Victims phone remotely accessed the night it was purchased. A man wearing a jammer/ deauth watch was part of an aggressive caravan of followers. Will repost related pulse. \n South Africa became customer service once again for every external service called. Target was aware. \n\nIt must be nice to SA someone, and have a racist mafia of silencers behind because the corporation didn\u2019t want bad press and the Sheriff was friends with the MD who threatened victim with future retaliation.\n\nNo one helps because this is obviously abuse by law enforcement. He is the victim. She simply suffered from life threatening injuries until the end. This should be illegal. Denied justice, representation, medical care, emergency care of any kind, diagnos3s and followed and monitored 24/7.", "modified": "2025-10-08T04:04:41.943000", "created": "2025-09-08T05:13:13.781000", "tags": [ "mtb oct", "trojandropper", "avast avg", "backdoor", "trojan", "ubuntu", "passive dns", "federation flag", "asn as49505", "dns resolutions", "domains top", "level", "unique tlds", "dynamicloader", "high", "medium", "port", "delete c", "windows", "displayname", "tofsee", "grum", "stream", "powershell", "write", "malware", "hostile", "misa", "ipv4 add", "urls", "files", "learn", "ck id", "name tactics", "suspicious", "informative", "found", "command", "defense evasion", "adversaries", "spawns", "united", "orc5", "flag", "rhur3d", "title", "click", "strings", "refresh", "aids", "dzan", "sumo", "miny", "judi", "pattern match", "mitre att", "show technique", "ck matrix", "ascii text", "show process", "hybrid", "general", "local", "path", "t1480 execution", "null", "span", "error", "tools", "look", "verify", "restart", "domain secure", "windows nt", "ogoogle trust", "zerossl ecc", "site ca0x1ex17r", "win64", "unknown", "encrypt", "search", "entries", "destination", "push", "next", "apple", "moved", "gmt content", "type", "content length", "ipv4", "date", "handle", "address range", "cidr", "network name", "allocation type", "assigned pi", "status", "whois server", "entity ipripe", "apnic", "url add", "http", "hostname", "files domain", "files related", "related tags", "ip address", "related nids", "files location", "flag united", "unknown ns", "name servers", "creation date", "emails", "pulse pulses", "pulses none", "none google", "safe browsing", "external", "location united", "asn as714", "less whois", "registrar", "ios", "iphone", "ipad", "australia", "dead host" ], "references": [ "https://idmsa.apple.com/ \u2022 account.apple.com \u2022 appleid.apple.com \u2022 http://www.apple.com/filenotfound", "https://176.113.115.136/ohhiiiii/", "https://appleid.apple.com/cgi-bin/WebObjects/MyAppleIdCVE", "https://ipadaustralia.com/mim/93tkkjy9zc9fv796398p4e8425id90u4u727g7094724c0a9i8", "palantir-staging.staging.candidate.app.paulsjob.ai", "pornhub.com\t \u2022 www.pornhub.com", "appleaustralia.com", "https://hybrid-analysis.com/sample/a871c76756ddf6d18d728b668d011e9d04e9db9c79734450a562f1f4b6ba2cdc/68be456cd90e6cbdf30d2afb", "https://hybrid-analysis.com/sample/35dce2c9c408e751622991b0655871f35ab97106fa87c233dfa2b135b4014df4/68be451808aeabd5cc0e9e85" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Muldrop", "display_name": "Muldrop", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "APNIC", "display_name": "APNIC", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1273, "FileHash-MD5": 347, "domain": 606, "hostname": 778, "FileHash-SHA256": 2724, "FileHash-SHA1": 322, "email": 9, "SSLCertFingerprint": 14, "CIDR": 3 }, "indicator_count": 6076, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6854082f2edb40c1c80b0831", "name": "JSDdelivr blocklist", "description": "", "modified": "2025-06-19T14:28:09.610000", "created": "2025-06-19T12:53:03.734000", "tags": [], "references": [ "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5675, "hostname": 171 }, "indicator_count": 5846, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e42fea462f0c8f8db32a1", "name": "Worm:Win32/Ganelp.A - Malicious IP: 148.163.152.21", "description": "Malicious IP found in disastrous attack against a mid level media marketing firm that the healthcare, travel, corporate event industry. \nEmployee phones are 'zombies' some laptops likely impacted by the Crowd Strike issue, (blue screen). Excessive tracking, monitoring, active botnets, power outage, and more. Research of IP and other IoC's found. Unfortunately, many of the clients are also sucked into issue. It appears that the issue has persisted for several years. The outage just made us work every angle. The attack goes beyond the CS 'update' outage, as the seemingly well cyber manged firm was under a very targeted, ongoing cyber attack that has kept company from rebounding. Red Team behavior seen.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T11:31:10.391000", "tags": [ "historical ssl", "referrer", "fancy bear", "scan endpoints", "all search", "otx scoreblue", "ipv4", "pulse submit", "url analysis", "passive dns", "urls", "files", "reverse dns", "open", "status", "name servers", "creation date", "search", "proofpoint", "expiration date", "div div", "date", "accept", "next", "united", "cname", "asnone united", "a nxdomain", "domain", "united kingdom", "servers", "showing", "nxdomain", "dname", "whitelisted", "aaaa", "script urls", "costa rica", "script domains", "msie", "chrome", "unknown", "body", "gmt content", "all scoreblue", "pulse pulses", "entries", "as8987 amazon", "as20940", "hostname", "gartner", "crowdstrike", "business value", "magic quadrant", "customer", "realized", "assessment", "economic impact", "complete", "february", "utc na", "ver2", "msclkidn", "html info", "meta tags", "mobileoptimized", "adobe dynamic", "tag management", "utc bing", "cobalt strike", "communications", "android device", "neutral", "win32 exe", "pe32", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "sections", "rticon neutral", "ico rtgroupicon", "xml rtmanifest", "overlay", "threat roundup", "pandas", "attacks against", "southeast", "wannacry kill", "switch dns", "query", "high level", "hackers", "unknown win", "core", "ascii text", "sha256", "sha1", "size", "pattern match", "suricata stream", "command decode", "utf8 text", "mitre att", "path", "hybrid", "starfield", "meta", "general", "target", "local", "click", "strings", "trident", "legacy", "main", "contact", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "t1055 system", "pe file", "t1497 query", "may sleep", "allocate rwx", "get file", "access", "windows event", "allocate", "link function", "windows link", "contains pdb", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls tcp", "hashes", "user", "file system", "written c", "samplepath", "files dropped", "userprofile", "registry keys", "registry", "set registrya", "conhost", "comspec", "created", "temp", "windows", "displayname", "process", "commands", "signals mutexes", "mutexes", "full name", "data", "v3 serial", "number", "cus cndigicert", "tls rsa", "ca1 odigicert", "inc validity", "subject public", "certificate", "whois lookup", "netrange", "nethandle", "net148", "net1480000", "as16509", "as22843", "as13916", "form", "server", "registrar abuse", "email", "request email", "verisign", "icann whois", "tech", "first", "project skynet", "cyber army", "dynamicloader", "high", "delete c", "show", "username", "medium", "default", "yara detections", "worm", "copy", "write", "duptwux", "malware", "x82xd4", "kx81xdbx0f", "x86xd3", "xa1xf1", "xe8xc2x14", "wx99xcdx11", "regsetvalueexa", "regbinary", "xe8xc6x13", "hx88x9ax1e", "stream", "win32", "persistence", "execution", "av detections", "ids detections", "alerts", "analysis date", "file score", "ftp username", "contacted", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "severity", "null", "refresh", "span", "error", "tools", "look", "verify", "restart", "robtex", "apple ios", "apple", "domains", "co number", "virtual mobile", "logistics", "cyber defense", "twitter", "read c", "artemis", "intel", "steals", "virustotal", "python", "panda", "falcon sandbox", "analysis", "hybrid analysis", "submission name", "av detection", "multi scan", "highest", "ability", "execute", "upgrade", "intelligence", "learn", "reports", "logo analysis", "size17kib type", "command", "found", "layer protocol", "osi application", "ip address", "t1105 ingress", "tool transfer", "problems", "threat network", "infrastructure", "domains part", "domain tracker", "roundup", "new problems", "startpage", "e1203 windows", "catalog tree", "analysis ob0001", "b0001 process", "b0003 delayed", "analysis ob0002", "evasion ob0006", "ob0007 system", "e1082 file", "e1083 impact", "data manipulation", "remote system", "discovery", "t1059 accept", "modules t1129", "enumerate", "as2914 ntt", "access denied", "as16625 akamai", "germany unknown", "csccorpdomains", "as31109", "invalid url", "mirai", "port", "destination", "bad login", "suspicious path", "nids", "tcp syn", "root account", "cve20185723", "as8068", "please", "x msedge", "embeddedwb", "windows nt", "tofsee", "push", "as54113", "as396982 google", "as31898 oracle", "moved", "encrypt" ], "references": [ "148.163.152.21 AS 22843 (PROOFPOINT-ASN-US-EAST) US | www.robtex.com | www.spf-record.com |", "Crowdsourced Sigma Rules: Suspicious New Service Creation by Nasreddine Bencherchali (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspicious Svchost Process by Florian Roth (Nextron Systems)", "Crowdsourced Sigma Rules: Matches rule Suspect Svchost Activity by David Burkett, @signalblur", "Crowdsourced Sigma Rules: Matches rule Suspicious Outbound SMTP Connections by frack113", "Crowdsourced Sigma Rules: Matches rule Creation of an Executable by an Executable by frack113", "https://www.virustotal.com/gui/file/dcd0812ed0b280cee38a3f8a68e5fde900f0a9f832ca53167d38d96f105eb9b9/detection", "Antivirus Detections Win.Trojan.Sality-1047 , Worm:Win32/Ganelp.A IDS Detections W32.Duptwux/Ganelp FTP Username - onthelinux Yara Detections InstallShield2000 Alerts persistence_autorun_tasks cape_detected_threat bypass_firewall suricata_alert dynamic_function_loading dropper injection_rwx IP\u2019s Contacted 209.202.252.54", "ELF:Mirai-GH\\ [Trj] 91b62309447ba8db2a456b546d02cee07f1fd1027a0dd23b0ad87bec18b5acee", "https://hybrid-analysis.com/sample/b31067b40534bc4a9d68ac2f13f6090956d171d23c3d3f7a8c92a8745aed4db3", "https://otx.alienvault.com/indicator/file/00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "trojan.shellrunner/emailworm: FileHash-SHA256 f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67", "https://www.virustotal.com/gui/file/f9527077fe3699a17a45276e3b15d65014b5c1d2d10c09f476a21b90fbd0bf67/detection", "Trojan.Agent.FRYX: http://email.bidayati.com/c/eJwkkc1ygjoYQJ8Gd3TClwTIwgUR0Aq12BbBbu5EfuQnioVQwKe_03v3Z-bMnJOvbUwtS6yKtWEZjNmMULyq1oAMYto2zZhd2IbIGb6UBdiYCqMoC", "Worm:Win32/Ganelp.A: FileHash-SHA256 00001054e41d89822267a38856e76eafc2c2e2f20c3f17a392e417f8b87e4ce1", "Worm:Win32/Ganelp.A: FileHash-SHA1 0eed684aef678aeffb43866bd2c975876e82eeab", "Worm:Win32/Ganelp.A: FileHash-MD5 b5e26ac3b7518b77631ab7bcefae10fe", "Trojan.Crypted-6 | infostealer_browser : https://otx.alienvault.com/indicator/file/29971e4a9ce229d79fae4cbdff1b32d2", "Falcon-FileVantage.exe | trojan.redcap/python: FileHash-SHA256 06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328", "https://www.virustotal.com/gui/file/06d4c16f64fc377b7dd5d8dff8bc6b11728d4cbbf3dcb42a9b819cc028afc328/detection", "apple-carry-relay.cloudflare.com | apple-dns.net | emails.redvue.com | https://arduboy.com/bad-apple-demo-is-good | 67.199.248.12", "https://tools.totaleconomicimpact.com/go/apple/TEI/docs/TEI-of-Mac-in-Enterprise.pdf | 79appleway.com | technoapple.com", "http://image.nationwide-service.co.uk/lib/fe9515737163077971/m/1/spacer_ApplePay.gif bum?id=326459173&s=143441 | mails.redvue.com", "http://www.rvrb.me/fan_reach/pt?eid=A429942_17490857_19605431_lnk1018&url=http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewAl", "Antivirus Detections ELF:Mirai-GH\\ [Trj]", "IDS Detections Master IP CAM 01 Hardcoded Password for Root Account (CVE-2018-5723) Juniper ScreenOS telnet Backdoor Default Password Attempt SUSPICIOUS Path to BusyBox Possible Linux.Mirai Login Attempt (meinsm) Actiontec C1000A backdoor account M2", "IDS Detections Win32/Tofsee.AX google.com connectivity check External IP Lookup www.trackip.net Possible", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian - is this a must?", "http://images.contact.acams.org/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Trojan.Agent.FRYX", "display_name": "Trojan.Agent.FRYX", "target": null }, { "id": "Win32:AceCrypter-B [Cryp]", "display_name": "Win32:AceCrypter-B [Cryp]", "target": null }, { "id": "Mal_Tofsee", "display_name": "Mal_Tofsee", "target": null }, { "id": "Ransom.StopcryptPMF.", "display_name": "Ransom.StopcryptPMF.", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Worm:Win32/Ganelp.A", "display_name": "Worm:Win32/Ganelp.A", "target": "/malware/Worm:Win32/Ganelp.A" }, { "id": "trojan.shellrunner/emailworm", "display_name": "trojan.shellrunner/emailworm", "target": null }, { "id": "trojan.redcap/python", "display_name": "trojan.redcap/python", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 890, "FileHash-SHA1": 853, "FileHash-SHA256": 7215, "domain": 2771, "hostname": 5544, "URL": 13393, "email": 12, "SSLCertFingerprint": 15, "CIDR": 1, "CVE": 3 }, "indicator_count": 30697, "is_author": false, "is_subscribing": null, "subscriber_count": 240, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c5e50dda752af9eab50933", "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork", "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.", "modified": "2024-03-10T08:03:07.690000", "created": "2024-02-09T08:40:45.976000", "tags": [ "malware", "pegasus", "cellbrite", "targets sa", "survivor", "referrer", "contacted urls", "contacted", "whois record", "hr rtd", "execution", "ssl certificate", "communicating", "skynet", "malicious", "csc corporate", "domains", "code", "t services", "date", "saint louis", "server", "registrar abuse", "whois lookups", "tech email", "threat roundup", "july", "march", "june", "files", "august", "phishing", "service", "amadey", "blacknet rat", "roundup", "magecart", "powershell", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "gmt vary", "gmt connection", "link", "studio", "side", "studios", "downtown denver", "colorado", "studios og", "html info", "title denver", "studios meta", "tags og", "hallrender", "mark brian sabey", "tulach", "passive dns", "urls", "scan endpoints", "all octoseek", "hostname", "pulse submit", "url analysis", "domain", "files ip", "united", "as36646 oath", "unknown", "body doctype", "yahoo title", "x ua", "ieedge chrome1", "possible", "as19137 epsilon", "ipv4", "pulse pulses", "body", "headers nel", "contentencoding", "connection", "access control", "search", "address", "domain robot", "record value", "next", "parking crew", "tracking", "tsara brashears", "targeting", "as20940", "aaaa", "as714 apple", "as16625 akamai", "win32mydoom feb", "name servers", "as6185 apple", "creation date", "trojan", "virtool", "worm", "servers", "expiration date", "moved", "certificate", "showing", "entries" ], "references": [ "adsl-074-168-130-217.sip.pns.bellsouth.net", "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu", "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm", "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]", "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios", "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21", "https://otx.alienvault.com/indicator/ip/74.6.231.21", "nr-data.net [Apple Private Data Collection]", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]", "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]" ], "public": 1, "adversary": "NSO GROUP", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "AMADEY", "display_name": "AMADEY", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "BlackNET RAT", "display_name": "BlackNET RAT", "target": null }, { "id": "Possible", "display_name": "Possible", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3263, "FileHash-MD5": 133, "FileHash-SHA1": 125, "FileHash-SHA256": 2596, "domain": 1168, "hostname": 1877, "CVE": 2, "email": 6 }, "indicator_count": 9170, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7c9f6bf793f823e6398", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-12-06T16:56:41.266000", "created": "2023-12-06T16:56:41.266000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 1177, "FileHash-SHA256": 2150, "domain": 620, "URL": 3016, "FileHash-MD5": 519, "FileHash-SHA1": 292 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570802448b61f9a84f1ef6e", "name": "San Jose County Ca", "description": "", "modified": "2023-12-06T14:07:32.800000", "created": "2023-12-06T14:07:32.800000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1203, "FileHash-SHA256": 1906, "domain": 374, "URL": 62 }, "indicator_count": 3545, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e79f50ce42abe29702324", "name": "Qakbot attacks. As strong as before?", "description": "command and control\nRedlinestealer\nQakbot\nNoName057\nAzorult\nBlack Rat\nbrowser malware \nBanker\nTheft\nPhishing", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T08:55:16.736000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1a715b26eb6e3ff58875", "name": "Qakbot attacks. As strong as before?", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-30T02:52:33.136000", "tags": [ "blacklist https", "rstunf", "tad436770", "united", "anonymizer", "mail spammer", "malicious host", "cyber threat", "heur", "phishing", "malware", "team", "control server", "qakbot", "redline stealer", "malicious", "asyncrat", "cobalt strike", "download", "cisco umbrella", "site", "safe site", "malicious url", "paypal", "team phishing", "detection list", "blacklist", "azorult", "service", "runescape", "facebook", "bank", "alexa", "blacknet rat", "stealer", "noname057", "ip summary", "url summary", "summary", "sample", "samples", "attack", "tsara", "tsara brashears", "boeing", "apple id", "samsung", "telegrafix", "trellian", "dumping", "fiies shared", "browser malware", "cyber criminal", "cyber crime", "brashears", "hybrid", "analysis" ], "references": [], "public": 1, "adversary": "Qakbot", "targeted_countries": [ "United States of America", "Japan", "Argentina" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "651e79f50ce42abe29702324", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3016, "domain": 620, "hostname": 1177, "FileHash-MD5": 519, "FileHash-SHA1": 292, "FileHash-SHA256": 2150, "CVE": 1 }, "indicator_count": 7775, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622136221b98e828da5b9d4e", "name": "San Jose County Ca", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T21:41:54.243000", "tags": [], "references": [ "San Jose County Ca.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1203, "domain": 374, "URL": 62, "FileHash-SHA256": 1906 }, "indicator_count": 3545, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1521 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dodgit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dodgit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780309130.8682206 }