{
"type": "Domain",
"indicator": "event.data",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/event.data",
"alexa": "http://www.alexa.com/siteinfo/event.data",
"indicator": "event.data",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2682757484,
"indicator": "event.data",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "68f61653030194aa34b32f3f",
"name": "Lunar Spider Expands their Web via FakeCaptcha",
"description": "Lunar Spider, a Russian cybercriminal group, has expanded its initial access methods by compromising vulnerable websites with CORS vulnerabilities, particularly in Europe. The group injects these sites with a FakeCaptcha framework that includes victim monitoring capabilities. The infection chain involves an MSI downloader containing a legitimate Intel executable and a malicious DLL called Latrodectus. The MSI registers the Intel EXE in the Run registry key and sideloads the Latrodectus DLL through DLL search order hijacking. Latrodectus V2 then communicates with its command-and-control server and executes further enumeration commands. The blog provides detailed analysis of the attack chain, including the FakeCaptcha framework, MSI loader, and Latrodectus configuration, as well as detection opportunities and indicators of compromise.",
"modified": "2025-10-20T11:03:25.911000",
"created": "2025-10-20T11:00:35.539000",
"tags": [
"fakecaptcha",
"icedid",
"msi downloader",
"latrodectus"
],
"references": [
"https://blog.nviso.eu/2025/10/01/lunar-spider-expands-their-web-via-fakecaptcha"
],
"public": 1,
"adversary": "Lunar Spider",
"targeted_countries": [
"Germany"
],
"malware_families": [
{
"id": "Latrodectus - S1160",
"display_name": "Latrodectus - S1160",
"target": null
},
{
"id": "IceNova",
"display_name": "IceNova",
"target": null
},
{
"id": "Unidentified 111",
"display_name": "Unidentified 111",
"target": null
},
{
"id": "IcedID - S0483",
"display_name": "IcedID - S0483",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1573.001",
"name": "Symmetric Cryptography",
"display_name": "T1573.001 - Symmetric Cryptography"
},
{
"id": "T1574.001",
"name": "DLL Search Order Hijacking",
"display_name": "T1574.001 - DLL Search Order Hijacking"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1135",
"name": "Network Share Discovery",
"display_name": "T1135 - Network Share Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1482",
"name": "Domain Trust Discovery",
"display_name": "T1482 - Domain Trust Discovery"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.006",
"name": "Web Services",
"display_name": "T1584.006 - Web Services"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1008",
"name": "Fallback Channels",
"display_name": "T1008 - Fallback Channels"
}
],
"industries": [
"Finance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "AlienVault",
"id": "2",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png",
"is_subscribed": true,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 22,
"FileHash-SHA1": 22,
"FileHash-SHA256": 54,
"domain": 81,
"hostname": 6
},
"indicator_count": 186,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 377516,
"modified_text": "181 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6811141c708261eb22d3a773",
"name": "FileScan.io feed",
"description": "",
"modified": "2026-03-04T22:16:29.183000",
"created": "2025-04-29T18:02:04.881000",
"tags": [],
"references": [
"https://www.filescan.io/api/feed/reports"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 681,
"BitcoinAddress": 1,
"FileHash-MD5": 1595,
"FileHash-SHA1": 1569,
"FileHash-SHA256": 1726,
"domain": 116,
"email": 60,
"hostname": 99
},
"indicator_count": 5847,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 178,
"modified_text": "45 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65eea19a23474b8c7dca351f",
"name": "All Items - find from the UA archive disk",
"description": "Again have zero idea 'what these are' - just uploading from the 'archives' as I sort through things",
"modified": "2025-12-24T08:28:47.628000",
"created": "2024-03-11T06:15:54.351000",
"tags": [],
"references": [
"https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs",
"https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs",
"https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark",
"https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark",
"",
"https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1165,
"hostname": 866,
"URL": 657,
"FileHash-SHA256": 26,
"email": 337,
"FileHash-MD5": 12,
"FileHash-SHA1": 8,
"CIDR": 1
},
"indicator_count": 3072,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 128,
"modified_text": "116 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f727508f48d3e0feeb0231",
"name": "IOC&TTP - Lunar Spider Expands their Web via FakeCaptcha",
"description": "NVISO \u62ab\u9732\u4e86\u4fc4\u7f57\u65af\u8bed\u7cfb\u91d1\u94b1\u52a8\u673a\u5a01\u80c1\u56e2\u4f19 Lunar Spider\uff08\u53c8\u540d Gold Swathmore\uff09 \u7684\u6700\u65b0\u6d3b\u52a8\u3002\u8be5\u7ec4\u7ec7\u5728 2025 \u5e74\u901a\u8fc7 FakeCaptcha \u6846\u67b6 \u6269\u5c55\u4e86\u5176\u521d\u59cb\u8bbf\u95ee\u624b\u6bb5\uff0c\u653b\u51fb\u8005\u5229\u7528\u7f51\u7ad9\u7684 CORS\uff08\u8de8\u57df\u8d44\u6e90\u5171\u4eab\uff09\u6f0f\u6d1e \u690d\u5165\u6076\u610f JavaScript\uff08iFrameOverload\uff09\uff0c\u8986\u76d6\u539f\u9875\u9762\u5185\u5bb9\u5e76\u663e\u793a\u4f2a\u9020\u7684\u9a8c\u8bc1\u7801\u754c\u9762\u3002\n\u8be5\u6846\u67b6\u901a\u8fc7 Telegram \u673a\u5668\u4eba \u5b9e\u65f6\u76d1\u63a7\u53d7\u5bb3\u8005\u4ea4\u4e92\u884c\u4e3a\uff0c\u5e76\u5f15\u5bfc\u53d7\u5bb3\u8005\u6267\u884c \u6076\u610f PowerShell \u547d\u4ee4\uff0c\u4ece\u800c\u4e0b\u8f7d\u5e76\u5b89\u88c5 MSI \u8f7d\u8377\u3002\n\nMSI \u6587\u4ef6\u5185\u5d4c\u5408\u6cd5\u7684 Intel igfxSDK.exe\uff0c\u4f46\u4f1a\u901a\u8fc7 DLL \u641c\u7d22\u987a\u5e8f\u52ab\u6301\uff08Search Order Hijacking\uff09 \u52a0\u8f7d\u6076\u610f Latrodectus V2 DLL\uff0c\u5b9e\u73b0\u6301\u4e45\u5316\u4e0e\u540e\u7eed\u547d\u4ee4\u6267\u884c\u3002\u8be5 DLL \u5c5e\u4e8e Lunar Spider \u81ea\u7814\u7684 Latrodectus\uff08BlackWidow / Lotus\uff09Loader\uff0c\u4e3a IcedID \u7684\u7ee7\u627f\u8005\uff0c\u7528\u4e8e\u611f\u67d3\u3001\u679a\u4e3e\u7cfb\u7edf\u5e76\u4e3a\u52d2\u7d22\u7ec4\u7ec7\uff08\u5982 ALPHV/BlackCat\u3001Wizard Spider\uff09\u63d0\u4f9b\u5165\u4fb5\u5165\u53e3\u3002",
"modified": "2025-10-21T06:25:29.947000",
"created": "2025-10-21T06:25:20.872000",
"tags": [
"fakecaptcha",
"icedid",
"msi downloader",
"latrodectus"
],
"references": [
"https://blog.nviso.eu/2025/10/01/lunar-spider-expands-their-web-via-fakecaptcha"
],
"public": 1,
"adversary": "Lunar Spider",
"targeted_countries": [
"Germany"
],
"malware_families": [
{
"id": "Latrodectus - S1160",
"display_name": "Latrodectus - S1160",
"target": null
},
{
"id": "IceNova",
"display_name": "IceNova",
"target": null
},
{
"id": "Unidentified 111",
"display_name": "Unidentified 111",
"target": null
},
{
"id": "IcedID - S0483",
"display_name": "IcedID - S0483",
"target": null
}
],
"attack_ids": [
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1573.001",
"name": "Symmetric Cryptography",
"display_name": "T1573.001 - Symmetric Cryptography"
},
{
"id": "T1574.001",
"name": "DLL Search Order Hijacking",
"display_name": "T1574.001 - DLL Search Order Hijacking"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1135",
"name": "Network Share Discovery",
"display_name": "T1135 - Network Share Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1482",
"name": "Domain Trust Discovery",
"display_name": "T1482 - Domain Trust Discovery"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1584.006",
"name": "Web Services",
"display_name": "T1584.006 - Web Services"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1008",
"name": "Fallback Channels",
"display_name": "T1008 - Fallback Channels"
}
],
"industries": [
"Finance"
],
"TLP": "white",
"cloned_from": "68f61653030194aa34b32f3f",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "celestre",
"id": "295357",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 22,
"FileHash-SHA1": 22,
"FileHash-SHA256": 54,
"domain": 81,
"hostname": 6
},
"indicator_count": 186,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 119,
"modified_text": "180 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68ddf4ccd1db55c513eaea40",
"name": "Lunar Spider Expands their Web via FakeCaptcha",
"description": "Lunar Spider, a Russian-speaking cybercriminal group, has escalated its attack strategies by targeting vulnerable websites primarily in Europe, exploiting Cross-Origin Resource Sharing (CORS) vulnerabilities. Their approach involves injecting a FakeCaptcha framework into these sites through a JavaScript snippet that creates an iframe, effectively overlaying malicious content on legitimate sites. This technique allows them to track victim interactions and report clicks back to a Telegram channel. The infection process begins with an MSI downloader that embeds a legitimate Intel executable alongside a malicious DLL dubbed Latrodectus. This downloader registers the Intel EXE in the Windows Run registry key for persistence and then sideloads the Latrodectus DLL by exploiting the DLL search order hijacking mechanism.",
"modified": "2025-10-02T03:43:08.393000",
"created": "2025-10-02T03:43:08.393000",
"tags": [
"latrodectus",
"lunar spider",
"spider",
"javascript",
"unknown",
"cors",
"powershell",
"windows",
"timestamp",
"filename",
"icedid",
"android",
"global",
"bokbot",
"window",
"iframe",
"ploy",
"crazy",
"silent",
"iron",
"shadow",
"wolf",
"hawk",
"lion",
"shark",
"tiger",
"cobra",
"trident",
"explorer",
"macos",
"lumma stealer",
"path",
"desktop",
"ukraine",
"defender",
"copy",
"execution",
"lumma",
"christos",
"msi",
"c2 domains",
"msi sha256",
"dll sha256",
"hashes"
],
"references": [
"https://blog.nviso.eu/2025/10/01/lunar-spider-expands-their-web-via-fakecaptcha/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
},
{
"id": "Latrodectus",
"display_name": "Latrodectus",
"target": null
}
],
"attack_ids": [
{
"id": "T1584.006",
"name": "Web Services",
"display_name": "T1584.006 - Web Services"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
},
{
"id": "T1059.001",
"name": "PowerShell",
"display_name": "T1059.001 - PowerShell"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1059.003",
"name": "Windows Command Shell",
"display_name": "T1059.003 - Windows Command Shell"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1547.001",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1547.001 - Registry Run Keys / Startup Folder"
},
{
"id": "T1574.001",
"name": "DLL Search Order Hijacking",
"display_name": "T1574.001 - DLL Search Order Hijacking"
},
{
"id": "T1533",
"name": "Data from Local System",
"display_name": "T1533 - Data from Local System"
},
{
"id": "T1482",
"name": "Domain Trust Discovery",
"display_name": "T1482 - Domain Trust Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1135",
"name": "Network Share Discovery",
"display_name": "T1135 - Network Share Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1008",
"name": "Fallback Channels",
"display_name": "T1008 - Fallback Channels"
},
{
"id": "T1573.001",
"name": "Symmetric Cryptography",
"display_name": "T1573.001 - Symmetric Cryptography"
}
],
"industries": [
"Financial"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "PetrP.73",
"id": "154605",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-MD5": 22,
"FileHash-SHA1": 22,
"FileHash-SHA256": 54,
"URL": 7,
"domain": 80,
"hostname": 6
},
"indicator_count": 192,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 171,
"modified_text": "199 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686ea022f2d0e77690299a69",
"name": "ginko garden assets.allegrostatic.com/bundle/v3-54203a750607c1f8005bfa4f30210fc496ff082fa5955ab5c25297957b245cbb.css",
"description": "",
"modified": "2025-10-01T00:01:22.860000",
"created": "2025-07-09T17:00:18.854000",
"tags": [
"bd poczenia",
"samochodowe",
"nawigacja",
"garmin nuvi",
"yoga tab",
"dekoracyjna na",
"imitacja starej",
"okoliczno",
"kot kot",
"peugeot",
"do mini",
"payout",
"bcaluzje",
"do dekodera",
"fiat stilo",
"zewn",
"bcem",
"b3jpozosta",
"bcubr",
"b3wka",
"osversionwin8",
"morfikownia",
"nieobecny",
"gdpr",
"gdprconsent755",
"nieznany",
"aaaaa",
"a nxdomena",
"nazwa rekordu",
"url pokazywa",
"adres url",
"nazwa hosta",
"adres ip",
"as14061",
"as22616 zscaler",
"poprzedni",
"powizane adresy",
"as13335 chmura",
"google wyniki",
"win32",
"narzdzie",
"trojan",
"tylne drzwi",
"robak",
"imponex",
"wygraj trojan",
"delf1033 robak",
"win32wanex",
"zawieszenie",
"user",
"xml process",
"text process",
"k netsvcs",
"chrome",
"typ pliku",
"wpis",
"rgba",
"web open",
"font format",
"truetype",
"unicode",
"wpis pamici",
"unix",
"function",
"silent failure",
"regexp",
"gethostname",
"date",
"saves",
"return",
"cmsg",
"iframe",
"issafari",
"null",
"meta"
],
"references": [
"https://allegro.pl/oferta/solidna-szklana-kula-bombka-do-zawieszenia-9cm-niebieska-metaliczna-17158975307#parametry",
"https://allegro.pl/oferta/poidelko-dla-ptakow-10-cm-figurka-ogrodowa-z-metalu-rdza-16510231991",
"https://ct.captcha-delivery.com/c.js",
"https://assets.allegrostatic.com/bundle/v3-54203a750607c1f8005bfa4f30210fc496ff082fa5955ab5c25297957b245cbb.css"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 467,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3583,
"domain": 246,
"hostname": 456,
"FileHash-SHA1": 137,
"FileHash-MD5": 342,
"FileHash-SHA256": 1367,
"email": 1
},
"indicator_count": 6132,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "200 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68038f7eb6f6810aa6d6439f",
"name": "\"+g+\"",
"description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False",
"modified": "2025-09-01T08:05:25.121000",
"created": "2025-04-19T11:56:46.933000",
"tags": [
"copyright",
"customevent",
"typeof e",
"boomerang",
"typeof t",
"macintosh",
"os x",
"post",
"typeof",
"iframe",
"date",
"poka menu",
"nie znaleziono",
"poka start",
"poka",
"max dostpnych",
"pierwsza",
"ostatnia",
"nastpna",
"poprzednia",
"brak danych",
"first",
"ceidg",
"wystpi bd",
"error",
"true",
"null",
"linkdownload",
"show",
"ctrlmappings",
"version",
"versionchange",
"body",
"false",
"span",
"input",
"paginate",
"next",
"last",
"selectstart",
"loop",
"function",
"bootstrap",
"datatables",
"responsive",
"2016 sprymedia",
"amd define",
"object",
"commonjs",
"window",
"browser",
"button",
"datatable",
"sprymedia ltd",
"columns",
"colidx",
"column",
"parent",
"child",
"param",
"display",
"click",
"middle",
"class",
"target",
"never",
"find",
"footer",
"close",
"regexp",
"matches",
"cookie",
"inputmask",
"input mask",
"robin herbots",
"mit license",
"xmlhttprequest",
"left",
"month",
"boolean",
"maxdate",
"right",
"daterangepicker",
"yyyymmdd",
"calendar",
"jquery",
"webpackrequire",
"typeof symbol",
"type",
"setprototypeof",
"maskpos",
"wrapnativesuper",
"backspace",
"insert",
"internal",
"mask",
"void",
"this",
"nie mona",
"array",
"nonmsdombrowser",
"horizontal",
"leftarrow",
"uparrow",
"rightarrow",
"downarrow",
"explorer",
"form",
"legend",
"hmmss",
"mmmm d",
"yyyy h",
"typeof define",
"number",
"locale",
"character",
"seeknext",
"masked",
"input plugin",
"josh bush",
"azaz",
"azaz09",
"black",
"kontrast",
"arrcookies",
"getcookielang",
"and information",
"on business",
"sign",
"twoja",
"opinia",
"informacja o",
"notify ui",
"widget",
"eric hynds",
"dual",
"name",
"dtopt",
"example",
"using",
"open",
"adata",
"hungarian",
"aria",
"legacy",
"trident",
"format",
"nuke",
"apos",
"bitcoin",
"outer",
"mark",
"info",
"reload",
"behaviour",
"write",
"buttons",
"anything",
"prop",
"thecookie",
"create",
"thevalue",
"string name",
"pluginscookie",
"author",
"eventkey",
"datakey",
"default",
"dataapikey",
"defaulttype",
"config",
"shown",
"trigger",
"delta",
"guard",
"arrow",
"leave",
"scroll",
"dataspy",
"sessiontimeout",
"return",
"settimeout",
"mytimerid",
"requestcounter",
"starttimer",
"stop",
"typeof n",
"adminlte",
"typeof o",
"main",
"js application",
"adminlte v2",
"colorlib",
"ui date",
"written",
"jacek wysocki",
"poprzedni",
"marzec",
"kwiecie",
"czerwiec",
"lipiec",
"sierpie",
"wrzesie",
"openpopup",
"href",
"toggle",
"msviewport",
"popover",
"json",
"json text",
"string",
"otherwise",
"holder",
"mind",
"copy",
"meta",
"third",
"text",
"choice",
"confirm",
"nie pytaj",
"site",
"title",
"value",
"alert",
"warn",
"migrate",
"foundation",
"see http",
"forget",
"newvalue",
"nones5",
"fall",
"wrongvalid",
"onerror",
"year",
"fast",
"argument",
"popper",
"method",
"data",
"html",
"flip",
"factory",
"onload",
"tbody",
"courier",
"elem",
"handle",
"expando",
"match",
"selector",
"sizzle",
"android",
"capture",
"seed",
"pass",
"enough",
"code",
"bind",
"core",
"local",
"verify",
"accept",
"done",
"override",
"inject",
"possible",
"hold",
"45deg",
"larger",
"screen styling",
"90deg",
"support",
"sidebar mini",
"e1f0ff",
"font awesome",
"free",
"autocomplete",
"folder",
"expanded folder",
"tabela",
"sorting",
"xform",
"nadpisane style",
"menlo",
"monaco",
"consolas",
"mono",
"courier new",
"browse",
"twitter",
"pt serif",
"georgia",
"times new",
"roman",
"times",
"typetime",
"import",
"roboto",
"http",
"label",
"demos",
"effect",
"inst",
"super",
"speed",
"bounce",
"hack",
"logic",
"shift",
"double",
"february",
"april",
"june",
"august",
"friday",
"erase",
"atom",
"caja",
"spinner",
"refresh",
"alpha",
"sentinel",
"back",
"blind",
"drop",
"ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g",
"prosz czeka",
"pobierz plik"
],
"references": [
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.aspx?Id=855bdfc1-7dbc-4a86-9d27-89ebb0ecf166&archival=False",
"UE_pl_top.svg",
"UE_pl_top_sm.svg",
"XZ4AH-ABKPW-SQPBC-CYWES-BCG6V",
"dataTables.lang.js.pobrane",
"EntryChangeHistory.aspx.js.pobrane",
"dataTables.input.js.pobrane",
"responsive.bootstrap4.js.pobrane",
"dataTables.bootstrap4.js.pobrane",
"dataTables.responsive.js.pobrane",
"jquery.session.js.pobrane",
"inputmask.binding.js.pobrane",
"daterangepicker.js.pobrane",
"jquery.inputmask.min.js.pobrane",
"ScriptResource.axd",
"moment-with-locales.min.js.pobrane",
"jquery.maskedinput-1.2.2.js.pobrane",
"feedback.js.pobrane",
"jquery.notify.min.js.pobrane",
"jquery.dataTables.js.pobrane",
"jquery.cookie.js.pobrane",
"bootstrap.js.pobrane",
"SessionTimeout.js.pobrane",
"adminlte.min.js.pobrane",
"jquery.easing.1.3.js.pobrane",
"jquery.feedbackBadge.min.js.pobrane",
"ui.datepicker-pl.js.pobrane",
"ceidg-master.js.pobrane",
"CommonResponsive.js.pobrane",
"json2.js.pobrane",
"jquery.alerts.js.pobrane",
"jquery-migrate-1.2.1.js.pobrane",
"dataTables.bootstrap4.css",
"CommonScripts.js.pobrane",
"popper.js.pobrane",
"responsive.bootstrap4.css",
"jquery-3.0.0.js.pobrane",
"daterangepicker.css",
"AdminLTE.css",
"ui.notify.css",
"ceidg.css",
"bootstrap-gov-pl.css",
"biznes.css",
"jquery-ui.js.pobrane",
"saved_resource.html"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 4,
"FileHash-SHA256": 25,
"URL": 165,
"domain": 353,
"hostname": 215,
"email": 2
},
"indicator_count": 767,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "230 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6855bacae134aaca15b1723e",
"name": "Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader.",
"description": "A recent malware campaign attributed to unidentified threat actors, dubbed \"Dark Partners,\" has been observed delivering malicious payloads targeting Windows and MacOS users. The campaign utilizes a loader known as \"PayDay Loader,\" which primarily facilitates the distribution of infostealers, including the notorious Poseidon Stealer for MacOS. The origin of this malware can be traced back to impersonated websites mimicking well-known AI and VPN services, with notable emphasis on fostering user trust through familiar brands.",
"modified": "2025-07-20T19:01:42.402000",
"created": "2025-06-20T19:47:22.873000",
"tags": [
"payday loader",
"cfile",
"require",
"promise",
"grabfolder",
"dark",
"await",
"c2 server",
"null",
"base64",
"ffile",
"loader",
"lumma stealer",
"error",
"crypto",
"dllimport",
"install",
"bypass",
"path",
"stop",
"phantom",
"exodus",
"harmony",
"tron",
"temple",
"poseidon",
"\u2019m",
"dark partners",
"windows",
"lumma",
"nodejs",
"cybersecurity cryptocurrency"
],
"references": [
"https://g0njxa.medium.com/dark-partners-the-crypto-heist-adventure-of-poseidon-stealer-and-payday-loader-c91382fac5c8"
],
"public": 1,
"adversary": "Poseidon",
"targeted_countries": [],
"malware_families": [
{
"id": "\u2019m",
"display_name": "\u2019m",
"target": null
},
{
"id": "Dark Partners",
"display_name": "Dark Partners",
"target": null
},
{
"id": "Windows",
"display_name": "Windows",
"target": null
},
{
"id": "Lumma",
"display_name": "Lumma",
"target": null
},
{
"id": "NodeJS",
"display_name": "NodeJS",
"target": null
},
{
"id": "Cybersecurity Cryptocurrency",
"display_name": "Cybersecurity Cryptocurrency",
"target": null
},
{
"id": "Poseidon",
"display_name": "Poseidon",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 25,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "PetrP.73",
"id": "154605",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3,
"FileHash-SHA1": 3,
"FileHash-SHA256": 22,
"URL": 18,
"domain": 79,
"email": 1,
"hostname": 179
},
"indicator_count": 305,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 171,
"modified_text": "272 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67a7f06a5d0f22ad92684646",
"name": "WebForm.com.gov.pl/CEIDG/ScriptResource.axd",
"description": "The following is the full text of the WebForm.com.gov.pl/CEIDG/ScriptResource.axd, following the following:.au, for the first time.",
"modified": "2025-05-14T21:27:17.040000",
"created": "2025-02-09T00:01:46.054000",
"tags": [
"null",
"nie mona",
"array",
"input",
"nonmsdombrowser",
"object",
"html",
"component",
"body",
"horizontal",
"date",
"calendar",
"february",
"april",
"june",
"august",
"iframe",
"form",
"friday",
"explorer",
"target",
"error",
"legend",
"this",
"type",
"regexp",
"elem",
"index",
"function",
"handle",
"check",
"safari",
"expando",
"android",
"false",
"hooks",
"copy",
"prop",
"class",
"mark",
"window",
"code",
"capture",
"accept",
"seed",
"override",
"hook",
"look",
"loop",
"install",
"pass",
"enough",
"bind",
"core",
"local",
"verify",
"done",
"find",
"internal",
"inject",
"possible",
"hold",
"middle",
"guard",
"fall",
"stop",
"panic",
"back",
"restrict",
"speed",
"turn",
"grab",
"getclass",
"jquery",
"bubble",
"anchor",
"shift"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1143,
"domain": 155,
"hostname": 523,
"FileHash-SHA256": 151
},
"indicator_count": 1972,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "339 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "674afb83c67ff4443e9f953a",
"name": "PolymodXT.exe",
"description": "",
"modified": "2025-05-14T21:18:19.590000",
"created": "2024-11-30T11:48:19.052000",
"tags": [
"file",
"flagi",
"process sha256",
"process disc",
"pathway z",
"identyfikator",
"zawiera moliwo",
"klucz",
"zawiera",
"wybierz",
"nie mona",
"przechowywanie",
"haso",
"obiekt",
"cig uid",
"zilla",
"enumerate",
"defender",
"pragma",
"security",
"license v2",
"ff ff",
"fc e8",
"f8 ff",
"fc ff",
"c9 c3",
"e4 f8",
"cc cc",
"fc eb",
"confuserex mod",
"aspirecrypt",
"detects",
"reactor",
"beds protector",
"ps2exe",
"bsjb",
"boxedapp",
"cyaxsharp",
"cyaxpng",
"smartassembly",
"koivm",
"confuserex",
"obfuscator",
"aspack",
"titan",
"enigma",
"vmprotect",
"strings",
"rlpack",
"antiem",
"antisb",
"themida",
"loader",
"sality",
"dnguard",
"windows nt",
"gecko",
"khtml",
"msie",
"wow64",
"stealer",
"win64",
"error",
"userprofile",
"keylogger",
"encrypt",
"antivm",
"span",
"main",
"grabber",
"hello",
"android",
"dcrat",
"win32",
"kill",
"revengerat",
"sandbox",
"pass",
"chat",
"first",
"asyncrat",
"crypto",
"injector",
"dropper",
"infostealer",
"lockfile",
"worldwind",
"stealerium",
"toxiceye",
"avemaria",
"fast",
"persistence",
"trojan",
"restart",
"snakekeylogger",
"snake",
"accept",
"cookie",
"code",
"killproc",
"lazarus",
"dearcry",
"njrat",
"cyrus",
"powershell",
"info",
"body",
"floodfix",
"downloader",
"ransomware",
"core",
"loki",
"fpspy",
"klogexe",
"firebird",
"patch",
"explorer",
"avkiller",
"masslogger",
"baldr",
"modi rat",
"helpme",
"osno",
"import",
"keylog",
"screencapture",
"ransom",
"crypted",
"silent",
"xorddos",
"stormkitty",
"ordinal",
"locker",
"hyperbro",
"lamepyre",
"parallaxrat",
"null",
"shurk steal",
"arkeistealer",
"strongpity",
"desktop",
"myagent",
"bypass",
"fatduke",
"miniduke",
"polyglotduke",
"guildma",
"spyeye",
"corebot",
"killmbr",
"ooops",
"lcpdot",
"torisma",
"codec",
"prometheus",
"spook",
"crypt",
"logger",
"zegost",
"poshkeylogger",
"systembc",
"hdlocker",
"cryptolocker",
"fivehands",
"kitty",
"goldmax",
"rents",
"maurigo",
"done",
"hidewindow",
"bokbot",
"bladabindi",
"darktrack",
"darksky",
"alien",
"karkoff",
"inject",
"windigo",
"rest",
"softcnapp",
"elysiumstealer",
"leivion",
"banload",
"ultrareach",
"ultrasurf",
"buterat",
"tools",
"beasty",
"shut",
"gravityrat",
"fatalrat",
"discord",
"deadwood",
"turian",
"markirat",
"mark",
"klingonrat",
"path",
"reverserat",
"grab",
"meta",
"voidcrypt",
"darkvnc",
"ryzerlo",
"hiddentear",
"boxcaon",
"stream",
"crimsonrat",
"delfi",
"infinity",
"stealthworker",
"gasket",
"spoolss",
"lu0bot",
"target",
"attack",
"cobaltstrike",
"bits",
"chaos",
"bitcoin",
"wiper",
"delphi",
"slackbot",
"neshta",
"belarus",
"apanas",
"runner",
"darkcomet",
"macoute",
"iframe",
"vanillarat",
"sectoprat",
"melt",
"tomiris",
"apostle",
"blackbyte",
"kutaki",
"override",
"windealer",
"mkdir",
"brbbot",
"config",
"babylon rat",
"spynet",
"bazarloader",
"clipper",
"banker",
"gh0st",
"piratestealer",
"witch",
"killme",
"vulturi",
"tofsee",
"slow",
"owowa",
"flagpro",
"write",
"dazzlespy",
"decryptor",
"bandit stealer",
"bandit",
"darkeye",
"recordbreaker",
"truebot",
"svchost",
"clipbanker",
"service",
"arrowrat",
"ducktail",
"confuser",
"gobrat",
"modiloader",
"chilelocker",
"noclose",
"strelastealer",
"comfoo",
"babar",
"blankgrabber",
"solarmarker",
"darkgate",
"stub",
"banned",
"globeimposter",
"rhysida",
"janelarat",
"kraken",
"recon",
"quiterat",
"venomrat",
"venom rat",
"sapphirestealer",
"ntospy",
"raccoon",
"shifu",
"mediapi",
"poolrat",
"cicada3301",
"remoteexec"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 528,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 414,
"FileHash-SHA1": 410,
"FileHash-SHA256": 1940,
"URL": 171,
"hostname": 56,
"domain": 134,
"YARA": 759,
"email": 4
},
"indicator_count": 3888,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "339 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "67f33233092ab19b74879403",
"name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server",
"description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.",
"modified": "2025-05-07T02:03:20.735000",
"created": "2025-04-07T02:02:27.322000",
"tags": [
"helper macro",
"param",
"param inccache",
"kerberos",
"ccache",
"api function",
"ccapi",
"api version",
"param ioccache",
"ccacheserver",
"win32",
"null",
"code",
"win64",
"error",
"union",
"ccapideprecated",
"ccacheapi",
"ccapiv2h",
"apple",
"export",
"united",
"ccache api",
"cplusplus",
"x8664",
"typedef",
"patheq",
"none",
"popen",
"terminate",
"false",
"winenv",
"winexe",
"frozen",
"winservice",
"python",
"posixthreads",
"pyhavecondvar",
"ntthreads",
"vista",
"pyemulatedwincv",
"ntddivista",
"semaphore",
"pycondt",
"win7",
"pybuildcore",
"fall",
"copyright",
"technology",
"all rights",
"reserved",
"america",
"government",
"within that",
"klprincipal",
"klloginoptions",
"inpassword",
"klboolean",
"klindex inindex",
"login",
"klstatus",
"kerberos login",
"inst",
"regexp",
"typeof e",
"function",
"typeof t",
"typeof o",
"width",
"typeof",
"pseudo",
"body",
"sticky",
"date",
"class",
"this",
"void",
"accept",
"span",
"krb5callconv",
"apoptsreserved",
"tktflgreserved",
"kdcoptreserved",
"krb5data",
"eblock",
"krb5address",
"krb5keyblock",
"service",
"realm",
"format",
"general",
"internal",
"entropy",
"mask",
"mcpeerid",
"mcsession",
"property",
"protocol",
"create",
"nsuinteger",
"notifies",
"mcsession api",
"interface",
"bonjour",
"ascii lowercase",
"abc company",
"section",
"bonjour txt",
"mcextern",
"attribute",
"mcextern extern",
"mcexternweak",
"nsenum",
"nsinteger",
"mcerrorcode",
"mcerrorunknown",
"mcerrortimedout",
"bonjour apis",
"stop",
"peer",
"example",
"tags",
"session",
"nsprogress",
"nserror",
"nsstring",
"nsurl",
"nsarray",
"note",
"ui element",
"utf8 encoding",
"nscopying",
"nsdictionary",
"webpackrequire",
"webpackexports",
"object",
"adobe systems",
"adobe",
"incorporated",
"dissemination",
"touchmove",
"window",
"launch",
"close",
"core",
"webview",
"nwebpackrequire",
"arraybuffer",
"name",
"typedarray",
"prototype",
"string",
"number",
"nvar",
"meta",
"infinity",
"generator",
"zero",
"epsilon",
"observer",
"android",
"freeze",
"trim",
"canvas",
"simple",
"bind",
"fast",
"next",
"patch",
"rest",
"middle",
"find",
"enumerate",
"facebook",
"executor",
"apiunavailable",
"gamecontroller",
"gcbuttoninput",
"gcswitchinput",
"nsobject",
"apiavailable",
"hid device",
"cfstr",
"iohiddeviceref",
"boolean value",
"c iohidmanager",
"iohidmanager",
"c iohiddevice",
"issequential",
"bool sequential",
"bool canwrap",
"nsset",
"nsunavailable",
"gcswitchelement",
"bool",
"share button",
"xbox controller",
"xbox elite",
"xbox series",
"gcxboxgamepad",
"gcpoint2",
"gcpoint2make",
"gcpoint2 p",
"cfinline bool",
"gcpoint2equal",
"gcpoint2 point1",
"gcpoint2 point2",
"gcrelativeinput",
"isanalog",
"bool analog",
"hasinclude",
"gcaxis2dinput",
"gcpoint2 value",
"gcaxiselement",
"certain",
"gcaxisinput",
"gcbuttonelement",
"gccontroller",
"nsnotification",
"chhapticengine",
"gcmicrogamepad",
"input",
"menu button",
"gcdevicelight",
"gccolor",
"x axis",
"xvalue",
"developers",
"functionality",
"options button",
"sf symbols",
"elements",
"gcdevice",
"gctouchstate",
"gctouchstateup",
"apideprecated",
"gckeyboard",
"gcmouse",
"nsswiftname",
"gcdevicebattery",
"battery level",
"direction pad",
"directionapad",
"thumbstick",
"gcdevicecursor",
"a controller",
"gccolor color",
"gcinputbuttona",
"gcinputbuttonb",
"button b",
"check",
"a element",
"c nil",
"nsenumerator",
"siri remote",
"equivalent",
"down",
"left",
"right",
"kindof",
"handle button",
"c device",
"immediate input",
"dualsense",
"positional",
"sony dualsense",
"gcmotion",
"dualshock",
"uievent",
"controllers",
"uikit user",
"uiview",
"method",
"nsdata",
"axes",
"nsdata source",
"return",
"nullable",
"nsdata object",
"button",
"shoulder",
"extended",
"gamepad profile",
"nsdata api",
"gcgamepad",
"sizeof",
"standard",
"gckeyboardinput",
"keyboard",
"nsstring const",
"controller",
"back buttons",
"game controller",
"back",
"keypad",
"delete",
"insert",
"home",
"right arrow",
"left arrow",
"down arrow",
"up arrow",
"korean",
"backspace",
"alongside",
"gckeyuparrow",
"gckeycode const",
"lang1",
"gclinearinput",
"gcquaternion",
"gcacceleration",
"y axis",
"z axis",
"gcmouse mouse",
"gcmouse class",
"mice",
"gcmouseinput",
"mouse profile",
"scroll",
"nsdata instance",
"a alias",
"press",
"micro profile",
"siri remotes",
"b button",
"a gcinput",
"button a",
"nsoptions",
"examining",
"c sfsymbolsname",
"apple tv",
"remote",
"control center",
"a set",
"game",
"gcracingwheel",
"gcbundlewithpid",
"gcinputbuttonx",
"gcinputbuttony",
"gcinputshifter",
"gckeya",
"gckeyb",
"gckeybackslash",
"rawvalue",
"apple swift",
"o librarylevel",
"swift import",
"element",
"indices",
"iterator",
"subsequence",
"kerberoscomerr",
"const",
"permission",
"mit software",
"suitability",
"athena",
"openvision",
"gssdllimp",
"gssapigenerich",
"this software",
"purpose",
"disclaims all",
"warranties with",
"regard to",
"constraint",
"kerberosprofile",
"krb5profileh",
"const names",
"newvalue",
"1429577728l",
"gnuc",
"mach",
"omuint32",
"gssapikrb5h",
"form",
"uid form",
"client function",
"asrep",
"including",
"preauth",
"db entry",
"free",
"pointer",
"rock",
"neither",
"direct",
"damage",
"minorstatus",
"gssbuffert",
"gssctxidt",
"gssoid",
"gssnamet",
"gsscredidt",
"gssoidset",
"gssapi",
"first",
"alcapi",
"alcapientry",
"alcboolean",
"targetosmac",
"alcdevice",
"alcenum param",
"alalch",
"alcchar",
"alcsizei",
"capture",
"but not",
"limited",
"openal cross",
"apple computer",
"redistribution",
"is provided",
"type",
"alvoid",
"alint",
"openal",
"aluint sid",
"alenum",
"alint value",
"aluint property",
"alvoid nonnull",
"alfloat",
"write",
"openalopenalh",
"umbrella header",
"alenum param",
"alapi",
"aluint bid",
"alsizei",
"alfloat value",
"alapientry",
"aluint",
"verify",
"play",
"speed",
"bits",
"albuffer3i",
"albufferdata",
"albufferf",
"albufferfv",
"albufferi",
"albufferiv",
"aldistancemodel",
"aldopplerfactor",
"algetbooleanv",
"algetbuffer3f",
"iousbhostdevice",
"iousbhostobject",
"iousbhostpipe",
"iousbhoststream",
"iousbhost",
"brief",
"usb host",
"bool yes",
"bool no",
"advance",
"iousbhostfamily",
"kernel",
"ioreturn status",
"nsnumber",
"ioreturn error",
"usb device",
"select",
"commands",
"enqueue",
"nsmutabledata",
"field",
"enum",
"options",
"retrieve",
"iosource",
"current address",
"bos descriptor",
"extract",
"a descriptor",
"license",
"io request",
"abort",
"discussion",
"stream",
"please",
"swift api",
"iousbbitrange",
"iousbbitrange64",
"iousbbit",
"client",
"usb controller",
"usb descriptor",
"unknown",
"critical",
"refer",
"link",
"send",
"same",
"common ui",
"bluetooth",
"service browser",
"option",
"1001",
"cfstringref",
"deprecated",
"macos",
"returns",
"abstract",
"nswindow",
"creates",
"mac os",
"uuids",
"uuid",
"sdp service",
"nsimage",
"nsview",
"mpasskeystring",
"nsmutablearray",
"uuid array",
"ioreturn",
"runmodal",
"group",
"command",
"byte",
"masks",
"pduid",
"l2cap",
"range",
"opcode",
"packet",
"major",
"local",
"profiles",
"iobluetooth",
"framework",
"support",
"host controller",
"rfcomm",
"minor class",
"pseudoclass",
"specific device",
"headset",
"peripheral",
"desktop",
"glasses",
"device reset",
"no hci",
"hci controller",
"returns number",
"variable number",
"packdata",
"cstring",
"pass",
"path",
"deprecated in",
"obex session",
"obexsessionref",
"rfcomm channel",
"obex",
"does not",
"l2cap channel",
"inrefcon",
"device",
"length",
"obex spec",
"error code",
"make",
"headerid",
"april",
"alarm",
"avrcplog",
"audiolog",
"bccmd16touint16",
"bccmd16touint8",
"bccmd32touint32",
"hfplog",
"obexcreatevcard",
"obexsessionget",
"uint16tobccmd16",
"intents",
"created",
"andrea gottardo",
"inimage",
"intentsui",
"project version",
"inshortcut",
"ibdesignable",
"invoiceshortcut",
"nsbundle",
"siri",
"beralloct",
"berbvarrayadd",
"berbvarrayfree",
"berbvdup",
"berbvecadd",
"berbvecfree",
"berbvfree",
"berdump",
"berdup",
"berdupbv",
"ldap",
"vdspinput1",
"vectorsize",
"iirchannel",
"osvkerndsplib",
"pragmaonce",
"paul chang",
"fri mar",
"original code",
"apple operating",
"modifications",
"apple public",
"source license",
"version",
"lframesize",
"i386",
"picify",
"callmcount",
"nonlazystub",
"align",
"roundtostack",
"leaf",
"import",
"carnegie mellon",
"carnegie",
"inline void",
"software",
"school",
"august",
"xnuarchi386selh",
"next computer",
"mike demoney",
"bruce martin",
"state segment",
"nxswappedfloat",
"osswapint32",
"inline float",
"inline double",
"osswapint64",
"armlimitsh",
"arm64",
"useclangtypes",
"bsdarmtypesh",
"int8t",
"gnuc typedef",
"uint8t",
"ansi c",
"ansi",
"use wchart",
"armmcontexth",
"mcontextt",
"armparamh",
"round",
"darwinsizet",
"darwinalign",
"uint32t",
"darwinalign32",
"warranties",
"a particular",
"university",
"armarch6zk",
"armarch6k",
"armarch4t",
"armarch4",
"http",
"capbitnb",
"legacy",
"armfeatureflag",
"california",
"notice",
"berkeley",
"limited to",
"define",
"useclanglimits",
"lp64",
"ansisource",
"darwincsource",
"longmin",
"ulongmax",
"parameter",
"vmmemcoherent",
"vmmemearlyack",
"vmmeminner",
"vmmemrt",
"vmmemguarded",
"armmemorytypesh",
"armpalroutinesh",
"read",
"struct",
"booleant",
"cluster",
"devbsize",
"mclbytes",
"unix system",
"laboratories",
"devbshift",
"thumb",
"armv5",
"armv7",
"cache",
"neon",
"swift",
"bsdarmprofileh",
"xxx todo",
"block",
"mcount",
"mcountinit",
"mcountenter",
"splhigh",
"armthreadh",
"armtraph",
"dflssiz",
"targetososx",
"maxssiz",
"rliminfinity",
"maxcsiz",
"bsdarmvmparamh",
"dfldsiz",
"maxdsiz",
"xxx stack",
"armsignal",
"int64t",
"armmachtypesh",
"int32t",
"methods",
"thread",
"hasapplepac",
"atmatmtypesh",
"libkernlocksh",
"fortifysource",
"libkerncopyioh",
"sizedby",
"darwinosinline",
"stdcversion",
"osswapint16",
"libkerncrch",
"blockexport",
"vaargs",
"blockrelease",
"blockh",
"collection",
"blockcopy",
"ososbaseh",
"base",
"byteoffset",
"host endianess",
"generic host",
"generic",
"osmalloc",
"osmalloctag tag",
"osmalloctag",
"pci device",
"uint32",
"uint32 mask",
"safecastptr",
"sint32",
"osaddatomic64",
"uint8",
"libkern c",
"internal error",
"core osreturn",
"libkern",
"values",
"pragmamark",
"kexts",
"kext",
"c string",
"grab",
"osostypesh",
"boolean",
"unsignedwide",
"uint32 hi",
"buildtime value",
"libkernversionh",
"versionmajor",
"versionminor",
"versionvariant",
"versionrevision",
"ostype",
"osrelease",
"libkernsysctlh",
"instructions",
"data cache",
"future",
"rbleft",
"rbright",
"rbgetparent",
"splayright",
"splayleft",
"rbsetcolor",
"rbblack",
"rbgetcolor",
"comp",
"main",
"stdc",
"msdos",
"windows",
"sys16bit",
"zlibdll",
"zextern",
"zconfh",
"model",
"zextern int",
"zstreamerror",
"znull",
"zbuferror",
"zmemerror",
"zstreamend",
"zdataerror",
"zfinish",
"enough",
"possible",
"trailer",
"compiler",
"countedby",
"sparta",
"osatomic",
"ipcipctypesh",
"ipcobjectnull",
"ipcobjectdead",
"osreturn",
"nfskrpch",
"xdrbuf",
"xdrbuf xbp",
"xbptr",
"xbleft",
"tlen",
"lval",
"xbcleanup",
"xbtype",
"xbflags",
"nfsargsversion",
"file",
"packed",
"nfshz",
"mount",
"term",
"restrict",
"stats",
"nfsbitmapset",
"nfsver3",
"nfsxunsigned",
"attr",
"nfsprogram",
"nfssmallfh",
"which",
"from",
"mark",
"obsolete",
"ip address",
"iaddrt",
"netinetbootph",
"nvmaxtext",
"magic",
"etheraddrlen",
"target",
"byteorder",
"bigendian",
"littleendian",
"dest",
"igmp",
"ushort",
"inpcbptr",
"inpcblistentry",
"ipsec",
"pcbs",
"cookie",
"netinetinstath",
"minimal",
"result",
"arp packet",
"icmpparamprob",
"icmpredirect",
"address",
"ditto",
"ip filter",
"ipv4",
"ip packet",
"inject",
"wifi",
"server",
"tcpmaxnotifyack",
"wired",
"ecn setup",
"notify",
"slow",
"definitions",
"tcptmax",
"retransmit",
"mptcp",
"tcpsclosewait",
"tcpsestablished",
"tcpstimewait",
"tcpseq",
"timer drift",
"sack",
"char",
"icmp",
"synack",
"tcpoptnop",
"syndata",
"ver",
"internet",
"iopcidevice",
"constant",
"perst",
"localonly",
"iooptionbits",
"optional access",
"ioservice",
"open",
"pcidriverkith",
"osmetaclassbase",
"iorpc rpc",
"auditpipeiobase",
"auditsdeviobase",
"ioctls",
"data",
"the software",
"stdargh",
"hasincludenext",
"eli friedman",
"as is",
"hack",
"atomic",
"atomicseqcst",
"clangstdatomich",
"stdchosted",
"stdboolh",
"needwintt",
"stddefh",
"hasbuiltin",
"const src",
"xnumembersize",
"const dst",
"wcharmax",
"wcharmin",
"limits",
"kernelstdinth",
"lp64 typedef",
"intmaxc",
"uintmaxc",
"ptrauth",
"olddata",
"value",
"declkey",
"abi pointer",
"c function",
"float16",
"fltevalmethod",
"legacy bsd",
"c standard",
"sincospi",
"cosp",
"x8664monotonich",
"staticifentry",
"hasmte",
"vmmemorytypesh",
"vmwimgdefault",
"wimg",
"extvectortype",
"utilfunction",
"aligned",
"srcptr",
"vmpmaph",
"vmdyldpagerh",
"vmvmfaulth",
"vmvmmaph",
"development",
"debug",
"vmvmoptionsh",
"vmvmpageouth",
"kasantbi",
"machvmmemtagh",
"given",
"vmmemtagptrsize",
"vmmemtagtagsize",
"copy",
"vmsharedregionh",
"vfsvfssupporth",
"veclib",
"master",
"world wide",
"various",
"veclibtypes",
"carbonlib",
"availability",
"carbon",
"noncarbon cfm",
"vbasicops",
"shift",
"vforceh",
"vdsplength n",
"realp",
"nonnull",
"vector",
"dspsplitcomplex",
"ieee",
"dspcomplex",
"uuiduuidh",
"uuiddefine",
"public",
"uuid library",
"kernelserver",
"simpleroutine",
"undkey",
"execution",
"strings array",
"user",
"title string",
"info",
"1024",
"xmldatat",
"undreplyref",
"kernsuccess",
"osaction",
"targetosiphone",
"istargetvendor",
"targetcpux8664",
"targetosunix",
"targetcpuppc",
"targetcpuppc64",
"targetcpux86",
"targetrtmaccfm",
"bridge",
"svflags",
"svpavreal",
"svpavreify",
"xpvav",
"svany",
"avfillp",
"for apidoc",
"mutableav",
"avrealoff",
"pltopenv",
"stmtstart",
"stmtend",
"copfile",
"plcurstackinfo",
"copfilegv",
"cophinthashget",
"loop",
"stack",
"beware",
"orig",
"loops",
"this file",
"the build",
"plbitcount",
"u8 value",
"cvflags",
"xpvcv",
"mutableptr",
"perlcore",
"cvgv",
"cvfile",
"cvfmethod",
"cvflvalue",
"cvfconst",
"anon",
"doinit extconst",
"ebcdic",
"extconst u8",
"index",
"ascii platform",
"confusingly",
"u8 pla2e",
"pla2e",
"u8 ple2a",
"guard",
"declspec",
"extconst",
"ext externc",
"init",
"larry wall",
"gnu general",
"readme file",
"multiplicity",
"plsawampersand",
"do not",
"perliogetc",
"perlioputc",
"perliostdoutf",
"perlio",
"perlfeatureh",
"featuresubbit",
"featuremyrefbit",
"featurefcbit",
"featureisabit",
"featuresaybit",
"featurestatebit",
"featuretrybit",
"hintfeaturemask",
"ffspace",
"process",
"ffdecimal",
"ffend",
"gvgp",
"gvflags",
"gvnamehek",
"svtype",
"gvegv",
"gvstash",
"gvxpvgv",
"svtpvgv",
"svtpvlv",
"super",
"edit directly",
"djgpp",
"bitbucket",
"perlsysinitbody",
"perlioinit",
"perlsystermbody",
"w macros",
"wexitstatus",
"shpath",
"mkdir",
"rotl64",
"rotl32",
"rotate x",
"rotr32",
"can64bithash",
"rotr64",
"ivsize",
"u8to16le",
"rotluv",
"rotruv",
"sbox32maxlen",
"plhashstate",
"perlhash",
"perl",
"usehashseed",
"perlseenhvfunch",
"perlhashseed",
"siphash24",
"siphash13",
"seed",
"c program",
"c type",
"c compiler",
"gcc attribute",
"longsize",
"c preprocessor",
"install",
"kill",
"cont",
"thus",
"ext declspec",
"dext",
"for apidocitem",
"utf8",
"ascii",
"fitsin8bits",
"nativetolatin1",
"strwithlen",
"u8 end",
"test",
"poison",
"february",
"cray",
"prior",
"behaviour",
"except",
"alpha",
"perlvar",
"perlvari",
"perlvara",
"padoffset",
"true",
"pmop",
"hooks",
"hook",
"sv invlist",
"perlinregcompc",
"svcur",
"perlinopc",
"tointernalsize",
"svtinvlist",
"invlistlen",
"strlen",
"hvaux",
"heklen",
"svook",
"hekutf8",
"hekkey",
"hekflags",
"mutablehv",
"hvnameheknn",
"gosh",
"leave",
"iperlsock",
"plsock",
"iperlstdio",
"plstdio",
"iperlproc",
"plproc",
"iperllio",
"pllio",
"perlimplicitsys",
"plink",
"keypackage",
"keyend",
"keysub",
"keydump",
"keylog",
"keysend",
"keystate",
"perlioclose",
"perlmemcollxfrm",
"nativetoneed",
"plclocaleobj",
"plno",
"plwarnall",
"plwarnnone",
"plyes",
"plzero",
"plc9utf8dfatab",
"nomathoms",
"perlintokec",
"perlinutf8c",
"perlinsvc",
"perlinregexecc",
"debugging",
"perlinlocalec",
"pfinet",
"snoop",
"ccprint",
"ccgraph",
"cccharnamecont",
"ccascii",
"ccwordchar",
"ccalphanumeric",
"ccidfirst",
"ccquotemeta",
"ccalpha",
"cccased",
"ordinal",
"magicvtablemax",
"extra",
"regex match",
"env hash",
"isa array",
"debugger",
"sig hash",
"available",
"shadow",
"array length",
"magic mg",
"sv sv",
"mgftainteddir",
"hefsvkey",
"mutablesv",
"ssizet",
"mgvtbl entry",
"mgfbytes",
"perlmagicsv 0",
"special",
"perlmagicarylen",
"perlmagicrhash",
"extra data",
"perlmagicpos",
"perlmagicsymtab",
"provides",
"dtrace probes",
"stdioh",
"stdioincluded",
"sfioversion",
"rxfpmfcharset",
"rxfpmfmultiline",
"rxfpmffold",
"rxfpmfextended",
"rxfpmfnocapture",
"rxfpmfkeepcopy",
"flags",
"rxfpmfstrict",
"ocshift",
"plop",
"perlbitfield16",
"baseop op",
"useithreads",
"pmfonce",
"padop",
"perlcknull",
"perlckfun",
"opparg1mask",
"opparg4mask",
"opparg2mask",
"perlckftst",
"perlppftrowned",
"perlckbitop",
"perlckcmp",
"perlcklfun",
"dump",
"chroot",
"syscall",
"flip",
"undef",
"crypt",
"push",
"stub",
"trans",
"predec",
"flop",
"prtf",
"shutdown",
"perlcontext cx",
"perlmemlog",
"c pointer",
"cxtype",
"logic",
"toavamg",
"tohvamg",
"opftrread",
"oplt",
"opincmp",
"opbitand",
"opsbitor",
"opsend",
"opgetpeername",
"opfteexec",
"opftbinary",
"opclose",
"plparser",
"yylex",
"lexshared",
"position",
"repl",
"memsize",
"malloct",
"perlmallocctlh",
"uv nfree",
"uv ntotal",
"iv topbucket",
"iv totalsbrk",
"iv minbucket",
"level",
"plcomppad",
"plcurpad",
"uvxf",
"ptr2uv",
"avarray",
"padnameflags",
"plcopseqmax",
"padlistarray",
"c array",
"padnametype",
"incpushperl5lib",
"appllibexp",
"privlibexp",
"defineincmacros",
"perlfsversion",
"perl5lib",
"sitearchexp",
"perllanginfoh",
"hasnllanginfo",
"ilanginfo",
"codeset",
"codeset 1",
"dtfmt",
"dtfmt 2",
"dfmt",
"dfmt 3",
"sipround",
"u8to64le",
"fallthrough",
"uint64c",
"perlsiphashfnc",
"siprounds",
"strlen inlen",
"sipfinalrounds",
"could",
"configure",
"plout",
"mine001",
"argv",
"plin",
"localpatchcount",
"perlapih",
"xs code",
"portingglossary",
"first version",
"brand",
"symbols",
"haswcrtomb",
"perlionotstdio",
"perlcallconv",
"perlio f",
"perlioh",
"usestdio",
"case",
"bufsiz",
"sizet",
"perlstability",
"perltypedefs",
"perldtracehin",
"perlloadedfile",
"perlloadingfile",
"perlopentry",
"perlphasechange",
"perlsubentry",
"perlsubreturn",
"generated",
"perlcallconv iv",
"sizet count",
"sv arg",
"mode",
"perliofuncs tab",
"stdchar",
"perliolistt",
"sv args",
"mutex",
"perlinterpreter",
"sigsize",
"perlioisstdio",
"perlcallconv op",
"perldokv",
"perlppaassign",
"perlppabs",
"perlppaccept",
"perlppadd",
"perlppaeach",
"perlppaelem",
"public license",
"free software",
"foundation",
"yydebug",
"bison",
"bareword",
"funcmeth",
"arrow",
"targ",
"pushs",
"tops",
"does",
"xsub",
"pops",
"xpushs",
"erange",
"perlreentrapi",
"perlreentrapi0",
"hostentsize",
"getgrentrproto",
"getpwentrproto",
"getnetentrproto",
"grentbuffer",
"grentsize",
"hostenterrno",
"redebugflag",
"debugvtest",
"debugr",
"u16 nextoff",
"argset",
"u8 type",
"nextoff",
"strings",
"problem",
"june",
"invert",
"perlfpclass",
"longdoublekind",
"plstatusvalue",
"pldebug",
"numclasses",
"locale",
"grok",
"pragma",
"dword",
"attack",
"little",
"lynx",
"done",
"reany",
"rxpextflags",
"rxextflags",
"checkpoint cp",
"rxftaintedseen",
"rxfcopydone",
"plsavestackix",
"plsavestack",
"plsavestackmax",
"ssmaxpush",
"enter",
"debugscope",
"state",
"u32 state",
"debugsbox32hash",
"sbox32warn5",
"line",
"mutexunlock",
"mutexinit",
"noop",
"mutexlock",
"condinit",
"detach",
"panic",
"usetm64",
"should",
"bsd extension",
"configuration",
"time64debug",
"int64t nv",
"gnu extension",
"perltime64h",
"time64t",
"int64t int64",
"int64 time64t",
"i32 year",
"tm64",
"hastmtmgmtoff",
"decide",
"svpvx",
"svgmagic",
"bonk",
"anything",
"turn",
"crash",
"fstat",
"perlmicro",
"hasioctl",
"hasutime",
"hasgroup",
"haspasswd",
"usemybinmode",
"idirent",
"likely",
"generated code",
"utfebcdic",
"unicode",
"step",
"ufeff",
"u00a0",
"u00df",
"u00b5",
"ufffd",
"u017f",
"u0300",
"unlikely",
"nativeutf8toi8",
"utf8skip",
"nativetouni",
"lazy",
"extrasize",
"regnodemax",
"exact",
"match",
"whilem",
"anyof",
"curly",
"trie",
"curlym",
"eval",
"star",
"perlutilh",
"hsmapiverlen",
"hsxsverlenmax",
"hskeyp",
"tools",
"sv vs",
"perlversionlt",
"svpvxnolenconst",
"perlckwarner",
"u32 err",
"scroakxsusage",
"pluumap",
"warnings",
"categories",
"plcurcop",
"perlckwarn",
"perlckwarnd",
"perlwarnisset",
"perlwarnoff",
"perlwarnbit",
"xsversion",
"xsreturn",
"perlxshandshake",
"plstackbase",
"hskey",
"zaphod32mix",
"u8to32le",
"zaphod32warn4",
"zaphod32warn3",
"zaphod32warn6",
"perlform",
"i8tonativeutf8",
"warnutf8",
"myshift",
"c extension",
"libs",
"cflags",
"afkuserlog",
"kafkeventcancel",
"kafkeventerror",
"adamsbagmanager",
"adjinglerequest",
"isinternalbuild",
"kickmcxdforuid",
"loadappkit",
"ardconfig",
"authenticator",
"dsauthenticator",
"dsnode",
"dsrecord",
"hostconfig",
"addtofront",
"calcslope",
"copyarray",
"createcachenode",
"defaultebecurve",
"deletecache",
"disablehcucache",
"dumpcache",
"dumpoutputhcu",
"enablet1sim",
"ascagent",
"ascagentproxy",
"asdevice",
"ddrangecompare",
"wdosloglauncher",
"wdoslogprotocol",
"findchar",
"ddasllogger",
"ddfilelogger",
"ddlog",
"ddlogfileinfo",
"ddlogmessage",
"ddloggernode",
"mkurlparser",
"mkerrordomain",
"mkintegerhash",
"mklonghash",
"mkmaprectinset",
"mkmaprectnull",
"mkmaprectoffset",
"mkmaprectworld",
"mkmapsizeworld",
"kextensionnonui",
"wkarraycreate",
"wkbooleancreate",
"wkcontextcreate",
"wkdatacreate",
"wkdatagettypeid",
"wkdoublecreate",
"wkframecopyurl",
"wkgettypeid",
"wkimagecreate",
"wkpagecandelete",
"webkit",
"methodkind",
"wkerrordomain",
"by apple",
"document",
"a block",
"wkcontentworld",
"wkwebview",
"javascript",
"wkerrorcode",
"wkerrorunknown",
"nsswiftasync",
"wkswiftasync",
"wkcookiepolicy",
"nshttpcookie",
"whether",
"wknavigation",
"wkdownload",
"decides",
"mime type",
"wkscriptmessage",
"wkframeinfo",
"information",
"url scheme",
"wkcontentmode",
"wkuserscript",
"wkextern",
"media",
"promise",
"fulfill",
"cgfloat",
"targetoswatch",
"sign",
"password",
"provider",
"uicontrol",
"nscontrol",
"opaque user",
"apple id",
"nsstring user",
"asuseragerange",
"initiate",
"asauthorization",
"confirms",
"apple upgrade",
"nserrorenum",
"operation",
"relying party",
"targetosvision",
"a byte",
"nsdata userid",
"relying",
"a string",
"asapiavailable",
"http response",
"authorization",
"oauth",
"saml",
"nsdata readdata",
"bool didwrite",
"a cose",
"nsstring name",
"bool appid",
"targetosxr",
"a state",
"a json",
"web token",
"private seckeys",
"nsstring appid",
"mdm profile",
"nsurl url",
"returns yes",
"lacontext",
"asswiftsendable",
"keychain",
"cose algorithm",
"ecdsa",
"sha256",
"cose curve",
"p256",
"nsinteger rank",
"enables",
"bool success",
"remove",
"call",
"complete",
"prepare",
"attempt",
"list",
"nsextension",
"settings",
"initializes",
"a key",
"extensions",
"hash",
"json",
"initialize",
"nsstring origin",
"settings app",
"urls",
"https urls",
"safari",
"cancel",
"nsuuid uuid",
"asextern extern",
"asextern",
"nsswiftsendable",
"uiwindow",
"propertykind",
"gkplayer",
"n tags",
"gkerrordomain",
"gamecenter",
"targetosios",
"targetostv",
"nsavailable",
"gkachievement",
"local player",
"view",
"present",
"optional",
"gkbaseplayer",
"game center",
"uiimage",
"app store",
"gkchallenge",
"gklocalplayer",
"nsdeprecated",
"a singleton",
"gkcloudplayer",
"returns nil",
"nsdeprecatedmac",
"internal2",
"internal3",
"internal4",
"gkscore",
"gkextern",
"gkextern extern",
"gkexternweak",
"gkerrorcode",
"gkerrorunknown",
"gkerrorunderage",
"friendplayer",
"standard view",
"nsresponder",
"parentwindow",
"ibaction",
"gkgamesession",
"apis",
"gkplayer player",
"nsinteger score",
"nsdate date",
"gkleaderboard",
"connect",
"nsinteger value",
"load",
"gktransporttype",
"nsstring title",
"loads array",
"localized",
"gkmatch",
"gkmatchrequest",
"gkinvite",
"gksession",
"gksession api",
"gamekit",
"asynchronously",
"welcome",
"nstimeinterval",
"delegate",
"delivery",
"gksenddatamode",
"gksessionmode",
"gkphotosize",
"callbacks",
"gkmatchdelegate",
"gksavedgame",
"default value",
"gksessionerror",
"gkvoicechat",
"participant",
"voice chat",
"clienta"
],
"references": [
"CredentialsCache.h",
"CredentialsCache2.h",
"config.xml",
"popen_spawn_win32.py",
"pycore_condvar.h",
"Kerberos.h",
"KerberosLogin.h",
"plugin.js",
"krb5.h",
"MultipeerConnectivity.tbd",
"MCBrowserViewController.h",
"MCNearbyServiceAdvertiser.h",
"MCError.h",
"MCAdvertiserAssistant.h",
"MCNearbyServiceBrowser.h",
"MultipeerConnectivity.apinotes",
"MultipeerConnectivity.h",
"MCSession.h",
"MCPeerID.h",
"canvas.html",
"capture_0.bundle.js",
"capture_resize.js",
"GCRacingWheelInput.h",
"GCSyntheticDeviceKeys.h",
"GCSwitchPositionInput.h",
"GCSteeringWheelElement.h",
"GCSwitchElement.h",
"GCTouchedStateInput.h",
"GCXboxGamepad.h",
"GCTypes.h",
"GCRelativeInput.h",
"GameController.h",
"GCAxis2DInput.h",
"GCAxisElement.h",
"GCAxisInput.h",
"GCButtonElement.h",
"GCController.h",
"GCColor.h",
"GCControllerAxisInput.h",
"GCControllerDirectionPad.h",
"GCControllerInput.h",
"GCControllerElement.h",
"GCControllerTouchpad.h",
"GCDevice.h",
"GCDeviceBattery.h",
"GCDeviceCursor.h",
"GCDeviceHaptics.h",
"GCDeviceLight.h",
"GCDevicePhysicalInputState.h",
"GCDevicePhysicalInputStateDiff.h",
"GCDirectionalGamepad.h",
"GCDirectionPadElement.h",
"GCDevicePhysicalInput.h",
"GCDualSenseAdaptiveTrigger.h",
"GCDualSenseGamepad.h",
"GCDualShockGamepad.h",
"GCEventViewController.h",
"GCExtendedGamepadSnapshot.h",
"GCExtern.h",
"GCExtendedGamepad.h",
"GCGamepadSnapshot.h",
"GCGearShifterElement.h",
"GCGamepad.h",
"GCKeyboard.h",
"GCInputNames.h",
"GCControllerButtonInput.h",
"GCKeyNames.h",
"GCKeyboardInput.h",
"GCKeyCodes.h",
"GCLinearInput.h",
"GCMotion.h",
"GCMouse.h",
"GCMouseInput.h",
"GCMicroGamepadSnapshot.h",
"GCPhysicalInputElement.h",
"GCMicroGamepad.h",
"GCPhysicalInputProfile.h",
"GCPhysicalInputSource.h",
"GCPressedStateInput.h",
"GCProductCategories.h",
"GCRacingWheel.h",
"GameController.tbd",
"arm64e-apple-macos.swiftinterface",
"x86_64-apple-macos.swiftinterface",
"module.modulemap",
"com_err.h",
"gssapi_generic.h",
"locate_plugin.h",
"profile.h",
"gssapi_krb5.h",
"preauth_plugin.h",
"gssapi.h",
"alc.h",
"oalStaticBufferExtension.h",
"oalMacOSX_OALExtensions.h",
"OpenAL.h",
"al.h",
"OpenAL.tbd",
"IOUSBHost.tbd",
"IOUSBHostCIEndpointStateMachine.h",
"IOUSBHostCIControllerStateMachine.h",
"IOUSBHost.h",
"IOUSBHostCIPortStateMachine.h",
"IOUSBHostCIDeviceStateMachine.h",
"IOUSBHostControllerInterfaceHelpers.h",
"IOUSBHostDevice.h",
"IOUSBHostControllerInterface.h",
"IOUSBHostDefinitions.h",
"IOUSBHostInterface.h",
"IOUSBHostIOSource.h",
"AppleUSBDescriptorParsing.h",
"IOUSBHostStream.h",
"IOUSBHostObject.h",
"IOUSBHostControllerInterfaceDefinitions.h",
"IOUSBHostPipe.h",
"IOBluetoothUIUserLib.h",
"IOBluetoothUI.h",
"IOBluetoothObjectPushUIController.h",
"IOBluetoothDeviceSelectorController.h",
"IOBluetoothPasskeyDisplay.h",
"IOBluetoothPairingController.h",
"IOBluetoothServiceBrowserController.h",
"IOBluetoothUI.tbd",
"Bluetooth.h",
"IOBluetooth.h",
"BluetoothAssignedNumbers.h",
"IOBluetoothTypes.h",
"IOBluetoothUtilities.h",
"OBEXBluetooth.h",
"IOBluetoothUserLib.h",
"OBEX.h",
"IOBluetooth.tbd",
"INImage+IntentsUI.h",
"IntentsUI.h",
"INUIAddVoiceShortcutButton.h",
"IntentsUI.apinotes",
"INUIEditVoiceShortcutViewController.h",
"INUIAddVoiceShortcutViewController.h",
"LDAP.tbd",
"OSvKernDSPLib.h",
"cpu.h",
"asm_help.h",
"desc.h",
"pio.h",
"io.h",
"sel.h",
"reg_help.h",
"tss.h",
"table.h",
"byte_order.h",
"_limits.h",
"_types.h",
"_mcontext.h",
"_param.h",
"_endian.h",
"arch.h",
"cpuid_internal.h",
"cpu_capabilities_public.h",
"arm_features.inc",
"endian.h",
"locks.h",
"limits.h",
"atomic.h",
"machine_cpuid.h",
"memory_types.h",
"pal_routines.h",
"machine_routines.h",
"param.h",
"cpuid.h",
"thread.h",
"trap.h",
"vmparam.h",
"signal.h",
"types.h",
"AFKMemoryDescriptorOptions.h",
"machine_machdep.h",
"atm_types.h",
"copyio.h",
"_OSByteOrder.h",
"crc.h",
"Block.h",
"OSBase.h",
"OSByteOrder.h",
"OSDebug.h",
"OSMalloc.h",
"OSAtomic.h",
"OSReturn.h",
"OSKextLib.h",
"OSTypes.h",
"version.h",
"sysctl.h",
"tree.h",
"zconf.h",
"zlib.h",
"libkern.h",
"kdp_callout.h",
"kdp_en_debugger.h",
"ipc_types.h",
"krpc.h",
"rpcv2.h",
"xdr_subs.h",
"nfs.h",
"nfsproto.h",
"bootp.h",
"if_ether.h",
"icmp6.h",
"icmp_var.h",
"igmp_var.h",
"igmp.h",
"in_pcb.h",
"in_stat.h",
"in_private.h",
"in_arp.h",
"in_var.h",
"in_systm.h",
"ip_var.h",
"ip_icmp.h",
"kpi_ipfilter.h",
"ip6.h",
"tcp_private.h",
"ip.h",
"tcp_timer.h",
"tcp_fsm.h",
"udp_var.h",
"tcp_seq.h",
"tcpip.h",
"udp.h",
"tcp_var.h",
"tcp.h",
"IOPCIFamilyDefinitions.h",
"IOPCIDevice.iig",
"PCIDriverKit.h",
"IOPCIDevice.h",
"audit_ioctl.h",
"stdarg.h",
"stdatomic.h",
"stdbool.h",
"stddef.h",
"string.h",
"stdint.h",
"ptrauth.h",
"math.h",
"monotonic.h",
"static_if.h",
"machine_kpc.h",
"machine_remote_time.h",
"ipc_pthread_priority_types.h",
"lz4_assembly_select.h",
"vm_compressor_algorithms.h",
"lz4.h",
"pmap.h",
"vm_dyld_pager.h",
"vm_far.h",
"vm_fault.h",
"vm_map.h",
"lz4_constants.h",
"vm_options.h",
"vm_pageout.h",
"vm_memtag.h",
"vm_shared_region.h",
"vm_kern.h",
"vfs_support.h",
"vecLib.h",
"vecLibTypes.h",
"vBasicOps.h",
"vForce.h",
"vDSP.h",
"uuid.h",
"UNDReply.defs",
"UNDRequest.defs",
"KUNCUserNotifications.h",
"UNDTypes.defs",
"UNDTypes.h",
"TargetConditionals.h",
"apfs_boot_mount.tbd",
"av.h",
"cop.h",
"bitcount.h",
"cv.h",
"ebcdic_tables.h",
"EXTERN.h",
"embedvar.h",
"fakesdio.h",
"feature.h",
"form.h",
"gv.h",
"git_version.h",
"dosish.h",
"hv_macro.h",
"hv_func.h",
"config.h",
"INTERN.h",
"handy.h",
"intrpvar.h",
"invlist_inline.h",
"hv.h",
"iperlsys.h",
"keywords.h",
"libperl.tbd",
"embed.h",
"l1_char_class_tab.h",
"mg_data.h",
"mg_raw.h",
"mg.h",
"mg_vtable.h",
"mydtrace.h",
"nostdio.h",
"op_reg_common.h",
"op.h",
"opcode.h",
"inline.h",
"overload.h",
"opnames.h",
"parser.h",
"malloc_ctl.h",
"pad.h",
"perl_inc_macro.h",
"perl_langinfo.h",
"perl_siphash.h",
"patchlevel.h",
"perlapi.h",
"metaconfig.h",
"perlio.h",
"perldtrace.h",
"perliol.h",
"perlvars.h",
"perlsdio.h",
"pp_proto.h",
"perly.h",
"pp.h",
"reentr.h",
"regcomp.h",
"perl.h",
"regexp.h",
"scope.h",
"sbox32_hash.h",
"time64_config.h",
"time64.h",
"sv.h",
"unixish.h",
"uconfig.h",
"utfebcdic.h",
"unicode_constants.h",
"utf8.h",
"regnodes.h",
"util.h",
"vutil.h",
"uudmap.h",
"warnings.h",
"XSUB.h",
"zaphod32_hash.h",
"encode.h",
"python-3.9.pc",
"python-3.9-embed.pc",
"python3-embed.pc",
"python3.pc",
"AFKUser.tbd",
"AdID.tbd",
"Admin.tbd",
"AirPlayReceiver.tbd",
"AppSandbox.tbd",
"ASEProcessing.tbd",
"AuthenticationServicesCore.tbd",
"WebGPU.tbd",
"WebDriver.tbd",
"MapKit.tbd",
"SwiftUI.swiftoverlay",
"WebKit.tbd",
"WebKit.apinotes",
"WKBackForwardList.h",
"NSAttributedString.h",
"WebKit.h",
"WKBackForwardListItem.h",
"WKContentRuleList.h",
"WKContentRuleListStore.h",
"WKContextMenuElementInfo.h",
"WKDataDetectorTypes.h",
"WKContentWorld.h",
"WKError.h",
"WKFoundation.h",
"WKFindResult.h",
"WKHTTPCookieStore.h",
"WKFrameInfo.h",
"WKNavigation.h",
"WKFindConfiguration.h",
"WKNavigationDelegate.h",
"WKNavigationResponse.h",
"WKOpenPanelParameters.h",
"WebKitLegacy.h",
"WKPreviewActionItem.h",
"WKNavigationAction.h",
"WKPreferences.h",
"WKPreviewActionItemIdentifiers.h",
"WKPreviewElementInfo.h",
"WKProcessPool.h",
"WKDownload.h",
"WKPDFConfiguration.h",
"WKScriptMessage.h",
"WKSecurityOrigin.h",
"WKScriptMessageHandler.h",
"WKSnapshotConfiguration.h",
"WKUIDelegate.h",
"WKURLSchemeTask.h",
"WKWebpagePreferences.h",
"WKUserContentController.h",
"WKWebsiteDataStore.h",
"WKWebsiteDataRecord.h",
"WKUserScript.h",
"WKURLSchemeHandler.h",
"WKWebViewConfiguration.h",
"WKWebView.h",
"WKScriptMessageHandlerWithReply.h",
"WKWindowFeatures.h",
"WKDownloadDelegate.h",
"ASAccountAuthenticationModificationController.h",
"ASAccountAuthenticationModificationViewController.h",
"ASAuthorization.h",
"ASAuthorizationAppleIDButton.h",
"ASAccountAuthenticationModificationRequest.h",
"ASAuthorizationAppleIDProvider.h",
"ASAuthorizationAppleIDRequest.h",
"ASAuthorizationAppleIDCredential.h",
"ASAuthorizationController.h",
"ASAuthorizationCredential.h",
"ASAccountAuthenticationModificationExtensionContext.h",
"ASAuthorizationError.h",
"ASAuthorizationCustomMethod.h",
"ASAuthorizationPasswordRequest.h",
"ASAuthorizationOpenIDRequest.h",
"ASAuthorizationPlatformPublicKeyCredentialDescriptor.h",
"ASAuthorizationPlatformPublicKeyCredentialProvider.h",
"ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h",
"ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h",
"ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h",
"ASAuthorizationPlatformPublicKeyCredentialRegistration.h",
"ASAuthorizationProvider.h",
"ASAuthorizationPlatformPublicKeyCredentialAssertion.h",
"ASAuthorizationPublicKeyCredentialAssertion.h",
"ASAuthorizationPublicKeyCredentialAssertionRequest.h",
"ASAuthorizationPublicKeyCredentialConstants.h",
"ASAuthorizationProviderExtensionAuthorizationResult.h",
"ASAuthorizationPublicKeyCredentialDescriptor.h",
"ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h",
"ASAuthorizationPasswordProvider.h",
"ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h",
"ASAuthorizationPublicKeyCredentialParameters.h",
"ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h",
"ASAuthorizationPublicKeyCredentialRegistration.h",
"ASAuthorizationPublicKeyCredentialRegistrationRequest.h",
"ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h",
"ASAuthorizationRequest.h",
"ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h",
"ASAuthorizationSingleSignOnCredential.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h",
"ASAuthorizationSingleSignOnProvider.h",
"ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h",
"ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h",
"ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h",
"ASAuthorizationWebBrowserPublicKeyCredentialManager.h",
"ASAuthorizationWebBrowserPlatformPublicKeyCredential.h",
"ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h",
"ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h",
"ASCOSEConstants.h",
"ASCredentialIdentity.h",
"ASAuthorizationSingleSignOnRequest.h",
"ASCredentialIdentityStore.h",
"ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h",
"ASCredentialProviderExtensionContext.h",
"ASCredentialProviderViewController.h",
"ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h",
"ASCredentialServiceIdentifier.h",
"ASExtensionErrors.h",
"ASAuthorizationProviderExtensionAuthorizationRequest.h",
"ASCredentialRequest.h",
"ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h",
"ASPasskeyAssertionCredential.h",
"ASPasskeyCredentialRequest.h",
"ASPasskeyCredentialRequestParameters.h",
"ASCredentialIdentityStoreState.h",
"ASPasskeyRegistrationCredential.h",
"ASPasswordCredential.h",
"ASPublicKeyCredential.h",
"ASPasskeyCredentialIdentity.h",
"ASPublicKeyCredentialClientData.h",
"ASSettingsHelper.h",
"ASWebAuthenticationSessionCallback.h",
"ASWebAuthenticationSession.h",
"ASWebAuthenticationSessionRequest.h",
"ASWebAuthenticationSessionWebBrowserSessionManager.h",
"AuthenticationServices.h",
"ASFoundation.h",
"AuthenticationServices.apinotes",
"ASWebAuthenticationSessionWebBrowserSessionHandling.h",
"ASPasswordCredentialIdentity.h",
"ASPasswordCredentialRequest.h",
"GameKit.apinotes",
"GKAccessPoint.h",
"GameKit.h",
"GKAchievement.h",
"GKAchievementViewController.h",
"GKBasePlayer.h",
"GKAchievementDescription.h",
"GKChallengeEventHandler.h",
"GKCloudPlayer.h",
"GKChallengesViewController.h",
"GKChallenge.h",
"GKDefines.h",
"GKError.h",
"GKEventListener.h",
"GKFriendRequestComposeViewController.h",
"GKDialogController.h",
"GKGameSessionEventListener.h",
"GKGameSessionError.h",
"GKGameCenterViewController.h",
"GKGameSessionSharingViewController.h",
"GKLeaderboardEntry.h",
"GKLeaderboard.h",
"GKLeaderboardScore.h",
"GKGameSession.h",
"GKLeaderboardSet.h",
"GKLocalPlayer.h",
"GKLeaderboardViewController.h",
"GKMatch.h",
"GKMatchmaker.h",
"GKMatchmakerViewController.h",
"GKPeerPickerController.h",
"GKNotificationBanner.h",
"GKPublicConstants.h",
"GKPlayer.h",
"GKPublicProtocols.h",
"GKSavedGameListener.h",
"GKScore.h",
"GKSessionError.h",
"GKVoiceChat.h",
"GKTurnBasedMatchmakerViewController.h",
"GKSession.h",
"GKTurnBasedMatch.h",
"GKSavedGame.h",
"GKVoiceChatService.h"
],
"public": 1,
"adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc",
"targeted_countries": [
"United States of America",
"India",
"Australia"
],
"malware_families": [
{
"id": "OSAtomic",
"display_name": "OSAtomic",
"target": null
},
{
"id": "OSReturn",
"display_name": "OSReturn",
"target": null
},
{
"id": "Ver",
"display_name": "Ver",
"target": null
},
{
"id": "Internet",
"display_name": "Internet",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1123",
"name": "Audio Capture",
"display_name": "T1123 - Audio Capture"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1049",
"name": "System Network Connections Discovery",
"display_name": "T1049 - System Network Connections Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ilyailya",
"id": "298851",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1968,
"domain": 526,
"FileHash-SHA256": 207,
"hostname": 972,
"email": 55,
"FileHash-SHA1": 9,
"FileHash-MD5": 4,
"CVE": 2,
"CIDR": 10
},
"indicator_count": 3753,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 34,
"modified_text": "347 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66c9103736c51f12e3bcfac8",
"name": "VGT INTERNET - pozycjonowanie, serwery, domeny, strony www, poligrafia",
"description": "Willi Echo wedi dweud wrthod wybodaeth iawno i'wodraeth o oryginalnej architekturze, a ddydd Sadwrn.",
"modified": "2024-12-27T01:07:36.247000",
"created": "2024-08-23T22:41:59.321000",
"tags": [
"adres url",
"profesjonalne",
"projektowanie",
"tworzenie",
"stron",
"internetowych",
"strony",
"internetowe",
"pozycjonowanie",
"poligrafia",
"web design",
"hosting",
"internet",
"cms",
"reklama",
"vgt internet",
"skuteczna",
"przegldaj",
"skontaktuj",
"z nami",
"info",
"ssl domeny",
"copyright",
"authority key",
"identifier id",
"win32",
"whasz",
"oszczdno",
"win32 exe",
"magia plik",
"pe32 dla",
"ms windows",
"intel",
"oglny plik",
"windos",
"generic",
"typ pliku",
"typ jzyk",
"ikona rt",
"neutralny",
"tekst ascii",
"wersja rt",
"angielski usa",
"plik",
"file name",
"type win32",
"exe size",
"mb first",
"seen",
"size",
"first seen",
"avg win32",
"bkav undetected",
"malicious",
"drweb",
"sha1",
"sha256",
"pehash",
"richhash",
"meble na wymiar",
"meble na zam\u00f3wienie",
"szafy",
"meble \u0142azienkowe",
"meble kuchenne",
"meble biurowe",
"zabudowy wn\u0119k",
"blaty kamienne",
"sprawd",
"strong",
"wirtualne",
"kreatywne meble",
"produkcja",
"kuchnie",
"zabudowa",
"zwizualizuj",
"kliknij",
"speedtest",
"files proofs",
"vin syd",
"sgp sbg",
"rbx hil",
"gra eri",
"bom bhs",
"ssl certificate",
"noclegi szklarska por\u0119ba",
"nocleg w szklarskiej por\u0119bie",
"szklarska por\u0119ba pensjonat",
"szklarska por\u0119ba",
"pokoje",
"pensjonat",
"spa",
"wakacje",
"relaks",
"wypoczynek",
"willa echo",
"willi echo",
"szrenic",
"tobie",
"pastwu",
"znajduje si",
"azienka",
"wifi",
"z naczyniami",
"bajeczne",
"e1 f7",
"c5 e0",
"algorithm",
"key identifier",
"x509v3 subject",
"number",
"cus olet",
"encrypt cnr10",
"validity",
"subject public",
"key info",
"key algorithm",
"vhash",
"ssdeep",
"file type",
"ini text"
],
"references": [
"http://sanselo.pl",
"http://www.sanselo.pl",
"http://vgt.pl",
"http://www.vgt.pl",
"http://franas.pl",
"http://www.franas.pl",
"https://kreatywne-meble.pl",
"http://ovh.net/common/font/lato/light/webfont.svg",
"https://ws.nperf.com/partner/js?l=05d1f5db-f38f-42ed-924b-87e3b0f2d5b6",
"http://willaecho.pl/",
"http://www.willaecho.pl/",
"http://www.tomasz.franas.pl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 438,
"domain": 128,
"hostname": 524,
"URL": 943,
"IPv4": 23,
"FileHash-SHA256": 3021,
"FileHash-SHA1": 397,
"email": 4,
"CVE": 1
},
"indicator_count": 5479,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 123,
"modified_text": "478 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "663d2869e0f3a42bbddc42ff",
"name": "UPX executable packer.",
"description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"",
"modified": "2024-10-14T00:01:17.069000",
"created": "2024-05-09T19:47:53.786000",
"tags": [
"cioch adrian",
"centrum usug",
"sieciowych",
"elf binary",
"upx compression",
"roth",
"nextron",
"info",
"javascript",
"html",
"office open",
"xml document",
"network capture",
"win32 exe",
"xml pakietu",
"pdf zestawy",
"przechwytywanie",
"office",
"filehashsha1",
"url https",
"cve cve20201070",
"cve cve20203153",
"cve cve20201048",
"cve cve20211732",
"cve20201048 apr",
"filehashmd5",
"cve cve20010901",
"cve cve20021841",
"cve20153202 apr",
"cve cve20160728",
"cve cve20161807",
"cve cve20175123",
"cve20185407 apr",
"cve cve20054605",
"cve cve20060745",
"cve cve20070452",
"cve cve20070453",
"cve cve20070454",
"cve cve20071355",
"cve cve20071358",
"cve cve20071871",
"cve20149614 apr",
"cve cve20151503",
"cve cve20152080",
"cve cve20157377",
"cve cve20170131",
"cve20200796 may",
"cve cve20113403"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6861,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 5771,
"domain": 3139,
"URL": 14525,
"FileHash-SHA1": 2610,
"IPv4": 108,
"CIDR": 40,
"FileHash-SHA256": 10705,
"FileHash-MD5": 3373,
"YARA": 2,
"CVE": 148,
"Mutex": 7,
"FilePath": 3,
"SSLCertFingerprint": 3,
"email": 23,
"JA3": 1,
"IPv6": 2
},
"indicator_count": 40460,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "552 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "664bd9b732ecaf1b3c3beddf",
"name": "Found some problems - Files from the UAlberta Google Drive Archive",
"description": "Been looking for these...Gifts from the University of Alberta to the World apparently\n*Please note: I emptied out the Drive, however, there was a significant amount of abuse re: Google and Microsoft Accounts at the University of Alberta (reported).\n*On the Google side I utilized: Drive (a little), Docs/Slides/Sheets (when groupwork was required)\n*On the Microsoft side I utilized: OneDrive, Office 365 (Word, PPT, Excel, and OneNote). I used to also have a personal microsoft account (OneNote, OneDrive, Skype).\nThese were the applications I lived on for my studies. I could access the Gmail/Microsoft accounts for the University (however - 'bad things' usually happen because of this). I have no access to my personal Microsoft Account (i.e. myself and other affected student(s) do not have access to our personal stuff.",
"modified": "2024-09-03T00:02:13.980000",
"created": "2024-05-20T23:16:07.255000",
"tags": [
"contact",
"quick",
"destination",
"entry",
"safety",
"local",
"health",
"travel",
"notification",
"considerations",
"service",
"criminal",
"showit",
"click",
"outcome",
"step",
"please",
"class",
"questions set",
"question set",
"unlock",
"continue",
"jointfilingyes",
"jointfilingno",
"minimum req",
"domicileresusno",
"joint sponsor",
"sponsorjoint",
"path",
"href",
"span",
"activetab",
"starton",
"newpage",
"searchq",
"datasia",
"datacon",
"segfilter",
"subsite",
"issuance agency",
"visas",
"null",
"state",
"dialog field",
"tabpanel",
"recaptcha",
"nameinputvisa",
"fullnameinput1",
"license headers",
"tools",
"templates",
"sia contact",
"visa",
"website",
"phoneregexp",
"emailregexp",
"azaz",
"urlpattern",
"example starter",
"javascript",
"fetch",
"comptwo",
"compone",
"dateofbirth",
"function",
"date",
"passport",
"nameinput",
"fullnameinput",
"adult passport",
"child passport",
"new child",
"new adult",
"new passport",
"datepicker",
"ds5504",
"hideit",
"infinity",
"false",
"jquery",
"error",
"body",
"trident",
"simple",
"turn",
"back",
"calendar",
"format",
"february",
"april",
"june",
"august",
"show",
"page has",
"bcdate",
"col1child",
"col2child",
"coldatechild",
"rowdisplay",
"val1",
"val2",
"repaginate",
"grab",
"jandec",
"86400000",
"current",
"namerbcontactme",
"agency",
"compliment",
"complaint",
"passportfees",
"customerservice",
"bymail",
"namerbcategory",
"brokenlink",
"search",
"departuredate",
"calendar date",
"picker",
"change",
"month",
"vital",
"records form",
"component js",
"select",
"please enter",
"azaz09",
"dddddd",
"woff2",
"woff",
"truetype",
"css document",
"efefef",
"ffffff",
"gradienttype0",
"galaxy",
"nexus",
"iphone5",
"abtn",
"bbtn",
"cbtn",
"dbtn",
"ebtn",
"fbtn",
"gbtn",
"hbtn",
"ibtn",
"media query",
"from",
"fce68e",
"font family",
"bold",
"document",
"cc3333",
"b7b7b7",
"e2edff",
"ced9ea",
"pm author",
"ipca csi",
"helvetica",
"arial",
"cq aem",
"feed classes",
"f2cd54",
"f4d97e",
"portrait",
"landscape",
"ipad",
"declare",
"immigrant",
"visa navigation",
"navigation css",
"georgia",
"times new",
"roman",
"times",
"verdana",
"photomodal",
"styles media",
"ff0000",
"queries",
"form component",
"typetext",
"queries media",
"phone media",
"tablet styles",
"media queries",
"jumbo sized",
"copyright",
"gpl version",
"http",
"alpha",
"button",
"out width",
"ui css",
"framework",
"icons",
"misc",
"mini",
"input",
"label",
"textarea",
"overlays",
"csi page",
"embassy info",
"embassy data",
"embassy names",
"end adjust",
"embassy nameso",
"pages",
"e1a04d",
"c0c0c0",
"ffffff url",
"us survey",
"component css",
"country list",
"e7eceb",
"important",
"additional css",
"wizard",
"corner radius",
"f97800",
"c61700",
"largestbox",
"thisbox",
"csi navigation",
"ui autocomplete",
"ui menu",
"noticeid",
"countnote",
"largestnote",
"thisnote",
"desktops",
"43px",
"42px",
"large",
"aem interface",
"styles",
"web email",
"ytconfig",
"typeerror",
"facebook pixel",
"pixel code",
"symbol",
"fblog",
"typeof",
"iterator",
"pageview",
"pixel",
"facebook",
"config",
"meta",
"propname",
"dpjquerydpuuid",
"this",
"next",
"atom",
"cookie",
"iframe",
"close",
"string",
"number",
"edge",
"regexp",
"silk",
"sxa0",
"object",
"opera",
"android",
"void",
"form",
"UAlberta",
"Android",
"Mac",
"iPhone",
"Gov Alberta",
"AWS",
"AZURE",
"ENTRA",
"iCloud",
"Telus",
"Bitdefender",
"Norton"
],
"references": [
"Copy of clientlib.js(1).download",
"Copy of clientlib.js(2).download",
"Copy of clientlib.js(5).download",
"Copy of clientlib.js(7).download",
"Copy of clientlib.js(4).download",
"Copy of clientlib.js(10).download",
"Copy of clientlib.js(8).download",
"Copy of clientlib.js(11).download",
"Copy of clientlib.js(12).download",
"Copy of clientlib.js(13).download",
"Copy of clientlib.js(14).download",
"Copy of clientlib.js(9).download",
"Copy of clientlib.js(16).download",
"Copy of clientlib.js(17).download",
"Copy of clientlib.js(18).download",
"Copy of clientlib.js(3).download",
"Copy of clientlib.js(19).download",
"Copy of clientlib.js(15).download",
"Copy of clientlib.js(22).download",
"Copy of clientlib.js(23).download",
"Copy of clientlib.js(21).download",
"Copy of clientlib.js(26).download",
"Copy of clientlib.js(25).download",
"Copy of clientlib.js(24).download",
"Copy of clientlib.js(31).download",
"Copy of clientlib.js(28).download",
"Copy of clientlib.js(30).download",
"Copy of clientlib.js(32).download",
"Copy of clientlib.js(29).download",
"Copy of clientlib.js(34).download",
"Copy of clientlib.js(35).download",
"Copy of clientlib.js(37).download",
"Copy of clientlib.js(36).download",
"Copy of clientlib.js(38).download",
"Copy of clientlib.js(39).download",
"Copy of clientlib.js(33).download",
"Copy of clientlib.js(44).download",
"Copy of clientlib.js(43).download",
"Copy of clientlib.js(41).download",
"Copy of clientlib.js(42).download",
"Copy of clientlib.js(45).download",
"Copy of clientlib.js(51).download",
"Copy of clientlib.js(56).download",
"Copy of clientlib.js(55).download",
"Copy of clientlib.js(54).download",
"Copy of clientlib.js(57).download",
"Copy of clientlib.js(52).download",
"Copy of clientlib.js(53).download",
"Copy of clientlib.js(60).download",
"Copy of clientlib(1).css",
"Copy of clientlib.js(59).download",
"Copy of clientlib(3).css",
"Copy of clientlib(2).css",
"Copy of clientlib(5).css",
"Copy of clientlib.js(58).download",
"Copy of clientlib(8).css",
"Copy of clientlib(10).css",
"Copy of clientlib(7).css",
"Copy of clientlib(6).css",
"Copy of clientlib(12).css",
"Copy of clientlib(13).css",
"Copy of clientlib(9).css",
"Copy of clientlib(4).css",
"Copy of clientlib(14).css",
"Copy of clientlib(17).css",
"Copy of clientlib(15).css",
"Copy of clientlib(19).css",
"Copy of clientlib(18).css",
"Copy of clientlib(11).css",
"Copy of clientlib(20).css",
"Copy of clientlib(16).css",
"Copy of clientlib(23).css",
"Copy of clientlib(24).css",
"Copy of clientlib(26).css",
"Copy of clientlib(25).css",
"Copy of clientlib(28).css",
"Copy of clientlib(22).css",
"Copy of clientlib(27).css",
"Copy of clientlib(31).css",
"Copy of clientlib(29).css",
"Copy of clientlib(30).css",
"Copy of clientlib(32).css",
"Copy of clientlib(34).css",
"Copy of clientlib(35).css",
"Copy of clientlib(33).css",
"Copy of clientlib(38).css",
"Copy of clientlib(37).css",
"Copy of clientlib(36).css",
"Copy of clientlib(40).css",
"Copy of clientlib(39).css",
"Copy of clientlib(43).css",
"Copy of clientlib(21).css",
"Copy of clientlib(41).css",
"Copy of clientlib(44).css",
"Copy of clientlib(42).css",
"Copy of clientlib(46).css",
"Copy of clientlib(45).css",
"Copy of clientlib(47).css",
"Copy of clientlib(48).css",
"Copy of clientlib(49).css",
"Copy of clientlib(50).css",
"Copy of clientlib(52).css",
"Copy of clientlib(54).css",
"Copy of clientlibs.js(3).download",
"Copy of clientlib(53).css",
"Copy of clientlibs.js(2).download",
"Copy of clientlibs(3).css",
"Copy of clientlib(51).css",
"Copy of clientlibs(1).css",
"Copy of clientlibs(2).css",
"Copy of clientlibs.js.download",
"Copy of clientlibs.js(4).download",
"Copy of clientlibs(5).css",
"Copy of clientlibs.css",
"Copy of clientlibs(4).css",
"Copy of dir (1).c9r",
"Copy of clientlib(55).css",
"Copy of iframe_api",
"Copy of fbevents.js.download",
"Copy of clientlibs.js(1).download",
"Copy of js",
"https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/iocs",
"https://www.virustotal.com/gui/collection/7196cbc5285fb7e155a529980dc1797d3ab3884e20c77c66d9b1b971c313fe56/graph",
"hxxps://go[.]microsoft[.]com/fwlink/?LinkId=2033498",
"hxxps://portal[.]office[.]com/Account",
"hxxps://myapplications[.]microsoft[.]com/",
"https://tria.ge/240521-rvybaahb79",
"https://tria.ge/240521-rxpf6ahd6w",
"https://tria.ge/240521-r1yh8shd44",
"https://tria.ge/240521-ry949ahe2z/behavioral1",
"https://tria.ge/240521-r3mvhshd83"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada",
"Mexico",
"Anguilla",
"Aruba",
"Panama",
"Ukraine",
"Trinidad and Tobago",
"Saint Vincent and the Grenadines",
"Saint Martin (French part)",
"Sint Maarten (Dutch part)",
"Philippines",
"Netherlands",
"Cura\u00e7ao",
"Georgia",
"Tanzania, United Republic of",
"Costa Rica",
"Guatemala",
"Japan",
"Barbados"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
}
],
"industries": [
"Education",
"Technology",
"Government",
"Healthcare",
"Biotechnology",
"Telecommunications",
"Energy",
"Construction",
"Chemical",
"Agriculture",
"Finance",
"Media",
"Defense",
"Transportation"
],
"TLP": "white",
"cloned_from": null,
"export_count": 24,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 251,
"hostname": 188,
"FileHash-SHA256": 142,
"URL": 69,
"FileHash-MD5": 77,
"FileHash-SHA1": 77
},
"indicator_count": 804,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "593 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6639853fc403f7be5bd6f27d",
"name": "Facebook+",
"description": "",
"modified": "2024-05-07T01:34:55.365000",
"created": "2024-05-07T01:34:55.365000",
"tags": [],
"references": [
"https://www.virustotal.com/gui/collection/09af9ef0b7b23d2dc73d83858106ae4fc97a352dbb521ac04493a0e79095ac69/iocs",
"https://www.virustotal.com/gui/collection/79c25168b2f93d9730a56b8d2b834cbfb2752b63b21b9dd51109416fbaa676d8/iocs",
"https://www.virustotal.com/graph/embed/g8726609a12794ebeb59edd531961a233068149bcdf994b428f20141be6111551?theme=dark",
"https://www.virustotal.com/graph/embed/g365a82115f934e31a69118715695c91c231f66cda9084c9389e56afb985a243e?theme=dark",
"",
"https://www.virustotal.com/gui/collection/6a8d582df4fe5a29885dad4074236bc9e4ed445aaf0cc00702d45963fb0459bb/iocs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "65eea19a23474b8c7dca351f",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Phone2209",
"id": "281168",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1165,
"hostname": 866,
"URL": 657,
"FileHash-SHA256": 26,
"email": 337,
"FileHash-MD5": 12,
"FileHash-SHA1": 8,
"CIDR": 1
},
"indicator_count": 3072,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 1,
"modified_text": "712 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657096b22a51f1cc56dcfb53",
"name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world",
"description": "",
"modified": "2023-12-06T15:43:46.083000",
"created": "2023-12-06T15:43:46.083000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 802,
"hostname": 392,
"domain": 134,
"FileHash-SHA256": 82,
"FileHash-MD5": 1
},
"indicator_count": 1411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708eb824dc4c51811f6de9",
"name": "Indusface - in YOUR face ;)",
"description": "",
"modified": "2023-12-06T15:09:44.273000",
"created": "2023-12-06T15:09:44.273000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 307,
"hostname": 333,
"domain": 192,
"URL": 1143,
"FileHash-MD5": 1
},
"indicator_count": 1976,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708e0d95a8c74cc715f7a2",
"name": "West.cn",
"description": "",
"modified": "2023-12-06T15:06:53.350000",
"created": "2023-12-06T15:06:53.350000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 208,
"domain": 533,
"hostname": 757,
"URL": 1861,
"FileHash-MD5": 1
},
"indicator_count": 3360,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708c37c54dd9e78f85c0fa",
"name": "\u7ea2\u674f\u89c6\u9891 malware",
"description": "",
"modified": "2023-12-06T14:59:03.859000",
"created": "2023-12-06T14:59:03.859000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1686,
"hostname": 2218,
"URL": 5740,
"domain": 901,
"FileHash-MD5": 3
},
"indicator_count": 10548,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708c1c5e2cc4dfe8d0ed97",
"name": "CPANEL-TUCOWS \u2014malware hosting",
"description": "",
"modified": "2023-12-06T14:58:36.254000",
"created": "2023-12-06T14:58:36.254000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 815,
"hostname": 3487,
"domain": 1182,
"URL": 10194,
"FileHash-MD5": 3,
"FileHash-SHA1": 1
},
"indicator_count": 15682,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708bbc4c8bf557c17688e1",
"name": "\u9ad8\u5c71tv,\u9ad8\u5c71tv,\u9ad8\u5c71tv\u5f71\u9662,\u9ad8\u5c71tv\u770b\u7247\u7f51",
"description": "",
"modified": "2023-12-06T14:57:00.280000",
"created": "2023-12-06T14:57:00.280000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"FileHash-SHA256": 233,
"domain": 361,
"hostname": 563,
"URL": 1374,
"FileHash-SHA1": 1,
"FileHash-MD5": 1
},
"indicator_count": 2534,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708b5e9b8ce0f5fd87fb98",
"name": "ewqopweowia543.ga",
"description": "",
"modified": "2023-12-06T14:55:26.621000",
"created": "2023-12-06T14:55:26.621000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 1,
"hostname": 706,
"domain": 234,
"FileHash-SHA256": 238,
"URL": 1386
},
"indicator_count": 2565,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708a8b61abf1b451f2aebc",
"name": "Botnet",
"description": "",
"modified": "2023-12-06T14:51:55.086000",
"created": "2023-12-06T14:51:55.086000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"hostname": 619,
"URL": 1547,
"domain": 246,
"FileHash-SHA256": 124
},
"indicator_count": 2538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65708a87eeed875a212dff0a",
"name": "Botnet",
"description": "",
"modified": "2023-12-06T14:51:51.546000",
"created": "2023-12-06T14:51:51.546000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"hostname": 619,
"URL": 1547,
"domain": 246,
"FileHash-SHA256": 124
},
"indicator_count": 2538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "657080735501c11ddbb7a988",
"name": "Dominionvoting.com 03.03.22",
"description": "",
"modified": "2023-12-06T14:08:51.329000",
"created": "2023-12-06T14:08:51.329000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 663,
"hostname": 588,
"domain": 413,
"URL": 2183,
"FileHash-MD5": 7
},
"indicator_count": 3854,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65707f8475d8a8785dfc5a2f",
"name": "Zetalytics API",
"description": "",
"modified": "2023-12-06T14:04:52.250000",
"created": "2023-12-06T14:04:52.250000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 754,
"hostname": 833,
"domain": 441,
"URL": 2375,
"CIDR": 5,
"FileHash-MD5": 2,
"email": 1
},
"indicator_count": 4411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65402a8dec948bec8b0a0372",
"name": "24 CVE's | Health Liability bDarkside 2020 Ecosystem .BEware",
"description": "Matrix of cyber crime attacks appears to involved legal entities and a division of Workers Compensation Colorado, possibly used nationally. Targeting, monitoring, tracking, malvertizing, cyber attacks, CNC. Critical.\nCould probably be disputed $$$$ though undisputable. \nEd Said. \nhttp://1.116.132.182/weblogic_CVE_2020_2551.jar\t\t\t\nCVE-2020-0601\t\t\t\t\t\nCVE-2018-8174\t\t\t\nCVE-2018-4893\t\t\t\nCVE-2018-0802\t\t\t\nCVE-2017-8759\t\t\t\t\t\t\nCVE-2017-8464\t\t\t\nCVE-2017-1188\t\t\t\t\nCVE-2017-0143\t\t\t\nCVE-2016-7262\t\t\t\nCVE-2014-6352\t\t\t\nCVE-2013-2465\t\t\t\nCVE-2011-2110\t\t\t\nCVE-2011-0609\t\t\t\nCVE-2010-2568\t\t\t\nCVE-2018-8453\t\t\t\nCVE-2013-1331\nCVE-2012-1856\t\t\t\t\nCVE-2012-0158\t\t\t\t\t\t\nCVE-2017-8570\t\t\t\nCVE-2017-11882\t\t\t\nCVE-2017-0199\t\t\t\t\t\t\nCVE-2017-0147\t\t\t\t\t\t\nCVE-2014-3153",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:13:33.427000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6544cbbca7610e92e4262c47",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Targeting",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-11-03T10:30:20.965000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "654140bae73f795aa914e8de",
"export_count": 108,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "654140bae73f795aa914e8de",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-31T18:00:26.439000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65401d73e96dd70037ed22a7",
"export_count": 98,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65403022038832e42175601f",
"name": "CRITICAL!!! | Health Insurance Cyber threat Matrix - Darkside 2020 Ecosystem .BEware ",
"description": "",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T22:37:22.425000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": "65402a8dec948bec8b0a0372",
"export_count": 95,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4604,
"hostname": 4187,
"CIDR": 2,
"CVE": 23,
"URI": 1
},
"indicator_count": 25942,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401fddb74fe1ea8506132d",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:57.026000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 92,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401fcb063a0a34fa323603",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "Law Enforcement? DOJ? ACLU? Help? This is CRAZY.\nSilencing.\nI like her song clicked on link but it was malicious. I was redirected to an Indian link that looked like YouTube.\nI am a professional, awarded researcher in many areas, parent, security researcher, graphic designer, supplier, music lover , disabled. overly curious and hacked. HELP. SCARED",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:27:39.980000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 87,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401dbe47ce126e7468a2dc",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:54.411000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 85,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401da888067e7f6379d23e",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I'm actually uncomfortable finding this.",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:18:32.141000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 8601,
"URL": 7499,
"domain": 4603,
"hostname": 4187,
"CIDR": 2,
"CVE": 23
},
"indicator_count": 25940,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d8480e4a9ed725f6458",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:56.820000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 83,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d76b057b79aaf7ba4a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:40.239000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 84,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d73e96dd70037ed22a7",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:39.802000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65401d5ee5a7359a5e815a6a",
"name": "Darkside 2020 Ecosystem .BEware | BGP.tools | Target Tsara Brashears",
"description": "I don't want to be dramatic but...Main source of cyber attacks. Includes - governmentattic.org, tulach.cc, malvertizing, monitoring. remote attacks, endangered Tsara Brashears attack, BotNet, CNC, telephone service, Apple hacking. https://bgp.tools/prefix/167.203.96.0, adult content, moo.com, afraid.org. I'm assuming accessed by attorneys and insurance companies to silence people forever. Death references. I can't verify if government complicity is accurate or spoofed. Stranger was owned by American International Group, found in an STSH domain (AIG.com). Last night Ben Cartwright became the sole owner of domain after being a verified AIG domain. Terrifying. Looks like the main target is the same. Tsara Brashears. \nFound in an attack against a device 'malicious sorry index' that caused research effort. \n[auto populated: BGP.TOOLS - bgp.tools - has published its full list of historical records for BGP, which are based on its current IP address address and routing system (PGP).]",
"modified": "2023-11-29T14:03:31.663000",
"created": "2023-10-30T21:17:18.712000",
"tags": [
"ssl certificate",
"whois record",
"contacted",
"referrer",
"communicating",
"resolutions",
"historical ssl",
"whois whois",
"http",
"critical risk",
"dark power",
"cobalt strike",
"malware",
"core",
"critical",
"copy",
"formbook",
"submission",
"sophos sophos",
"xcitium verdict",
"cloud xcitium",
"verdict cloud",
"history first",
"analysis",
"utc http",
"response final",
"url https",
"march",
"execution",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"file",
"et tor",
"known tor",
"meta",
"monitoring",
"date",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"unknown",
"hybrid",
"general",
"click",
"strings",
"class",
"generator",
"error",
"pe resource",
"redline stealer",
"april",
"lockbit",
"emotet",
"hacktool",
"apple",
"tsara brashears",
"tmobile",
"pyinstaller",
"password",
"dns poisoning",
"domains",
"abuse",
"kiannas law",
"cyber security",
"cisco umbrella",
"site",
"malware site",
"malicious site",
"safe site",
"alexa top",
"million",
"phishing site",
"team phishing",
"exploit",
"download",
"unruy",
"alexa",
"riskware",
"back",
"azorult",
"phishing",
"service",
"runescape",
"facebook",
"bank",
"team",
"cutwail",
"adload",
"maltiverse",
"kryptik",
"united",
"cyber threat",
"engineering",
"bambernek",
"strike",
"zbot",
"suppobox",
"malicious",
"ransomware",
"virut",
"bandoo",
"matsnu",
"iframe",
"zeus",
"agent",
"steam",
"nymaim",
"citadel",
"heur",
"covid19",
"simda",
"artemis",
"bradesco",
"pony",
"pykspa",
"sodinokibi",
"betabot",
"virustotal",
"tinba",
"domaiq",
"ave maria",
"revil",
"downloader",
"tofsee",
"vawtrak",
"hotmail",
"dnspionage",
"nexus",
"generic",
"andromeda",
"dropper",
"crypt",
"outbreak",
"wacatac",
"mimikatz",
"trojanx",
"astaroth",
"keybase",
"stealer",
"radamant",
"kovter",
"unsafe",
"win64",
"conduit",
"presenoker",
"opencandy",
"remcos",
"miner",
"agenttesla",
"trojan",
"detplock",
"networm",
"fusioncore",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"fakealert",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"kgs0",
"kls0",
"threat report",
"ip summary",
"url summary",
"summary",
"urls",
"detection list",
"blacklist http",
"samples",
"blacklist"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Maltiverse",
"display_name": "Maltiverse",
"target": null
},
{
"id": "Kryptik",
"display_name": "Kryptik",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
}
],
"industries": [
"Health"
],
"TLP": "green",
"cloned_from": null,
"export_count": 82,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 518,
"FileHash-SHA1": 507,
"FileHash-SHA256": 10945,
"URL": 19764,
"domain": 5110,
"hostname": 8668,
"CIDR": 2,
"CVE": 24
},
"indicator_count": 45538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653fd47a852cc130c72de9e5",
"name": "BGP.Tools",
"description": "",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T16:06:18.567000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "653f4d0c4cca0c5f58530600",
"export_count": 39,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 225,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653f4d0c4cca0c5f58530600",
"name": "BGP.Tools",
"description": "BGP is a very malicious, developed spyware tool. Attorneys, insurance companies use tool. BGP Hurricane. In the past they will call target and a modem connects draining ALL content. It can CNC device, erase everything from it, manipulate dropbox as well as other clouds. Very destructive.Once you're a target your privacy is gone for good. Assertions from threat crowd that CISA/Valmet are government phishing entities concerns me. BGP gets a 100% malicious score. Listed as part of infrastructure is CISA. A familiar name in adult content and other commands, vulnerabilities,etc. I'm not sure what to believe, or what's going on.",
"modified": "2023-11-29T05:05:42.592000",
"created": "2023-10-30T06:28:28.160000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"whois whois",
"communicating",
"relacionada",
"resolutions",
"historical ssl",
"collections new",
"family",
"lolkek",
"dark power",
"ransomware",
"play ransomware",
"makop",
"core",
"redline stealer",
"hacktool",
"emotet",
"quasar rat",
"wiper",
"ursnif",
"malware",
"http response",
"final url",
"ip address",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server",
"date wed",
"html info",
"meta tags",
"name verdict",
"falcon sandbox",
"pattern match",
"changelog",
"header",
"layer",
"data",
"ipv4",
"function",
"ascii text",
"et tor",
"known tor",
"meta",
"monitoring",
"body",
"form",
"august",
"june",
"friendly",
"main",
"footer",
"date",
"unknown",
"hybrid",
"general",
"local",
"click",
"strings",
"class",
"generator",
"critical",
"error",
"njrat",
"cobalt strike"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 42,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3631,
"FileHash-MD5": 45,
"FileHash-SHA1": 44,
"FileHash-SHA256": 1788,
"CVE": 5,
"domain": 543,
"hostname": 1328,
"CIDR": 2,
"email": 1
},
"indicator_count": 7387,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "872 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "645c9552d2976bc754de54f3",
"name": ";https://ssl.kaptcha.com/collect/sdk?m=700000",
"description": "[",
"modified": "2023-05-11T07:12:18.292000",
"created": "2023-05-11T07:12:18.292000",
"tags": [],
"references": [
"https://ssl.kaptcha.com/collect/sdk?m=700000",
"https://www.hybrid-analysis.com/sample/161727a812a1c449bd581cbe577ba30fff74533887ce55dccdc7eaad27753b2c/645bf4aed69ba630d909ae5f"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1177,
"domain": 162,
"hostname": 321,
"FileHash-SHA256": 81,
"IPv4": 6,
"FileHash-MD5": 71,
"FileHash-SHA1": 53,
"email": 3
},
"indicator_count": 1874,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "1074 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6431d1244a8ae763a8d5ed74",
"name": "http://hm732.com/ - v2 all and sundrie",
"description": "",
"modified": "2023-05-08T20:02:01.231000",
"created": "2023-04-08T20:40:04.099000",
"tags": [
"trojan",
"chromeua",
"dropped file",
"optout",
"runtime data",
"object",
"drmedgeua",
"unicode",
"optin",
"edgeua",
"span",
"error",
"win64",
"date",
"format",
"addressbar",
"generator",
"path",
"template",
"suspicious",
"unknown",
"void",
"desktop",
"dark",
"light",
"mozilla",
"this",
"cookie",
"meta",
"iframe",
"window",
"legend",
"null",
"wind",
"strings",
"qakbot",
"http://hm732.com/"
],
"references": [
"https://hybrid-analysis.com/sample/bca1a3df6a236ec7870fbae8a5d5c5597347dad17f9b00e49c05ab1eb8e87f83/64319a805d10c703330b366e"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2345,
"hostname": 951,
"domain": 405,
"FileHash-SHA256": 82,
"FileHash-MD5": 63,
"FileHash-SHA1": 61,
"email": 5
},
"indicator_count": 3912,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 92,
"modified_text": "1076 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63dbbf6ae4f5433c2bab52e9",
"name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world",
"description": "A guide to some of the key methods used by the web browser, jQuery, to create web pages and add links to the search engine and other parts of its web address system, as well as the address bar.",
"modified": "2023-03-04T13:00:43.098000",
"created": "2023-02-02T13:49:30.620000",
"tags": [
"null",
"copyright",
"jan sorgalla",
"built",
"bill scott",
"http",
"error",
"function",
"title",
"method",
"play",
"fast",
"click",
"return",
"href",
"target",
"span",
"pass",
"linear",
"timebuff",
"block",
"trigger",
"nivoslider",
"display",
"width",
"show",
"next",
"arrow",
"restart",
"stop",
"iframe",
"alpha",
"factory",
"type",
"handle",
"sizzle",
"match",
"check",
"make sure",
"elem",
"name",
"regexp",
"hooks",
"false",
"date",
"class",
"internal",
"done",
"bind",
"test",
"body",
"copy",
"hold",
"mozilla",
"logic",
"flash",
"jquery",
"fall",
"bubble",
"prop",
"meta",
"middle",
"mark",
"thus",
"form",
"script script",
"a li",
"div div",
"mua bn",
"link",
"a div",
"trang ch",
"gii thiu",
"tin tc",
"header http2",
"gmt cache",
"gmt server",
"litespeed",
"443 ma2592000",
"172.217.16.232",
"http://lhr48s28-in-f8.1e100.net"
],
"references": [
"[object Object] is a string representation of an object instance. Take this example: When the alert runs, it returns [object Object] in the alert modal. It tries to return a string representation of what was passed into alert, but because the engine sees this as an object, and not a string, it tells us that its an instance of an Object instead.",
"443 Header\tHTTP/2 200 x powered by: PHP/7.4.29 set cookie: PHPSESSID=9158e16820bdbb5be0d1faa520b7dc19 path=/ expires: Thu 19 Nov 1981 08:52:00 GMT cache control: no store no cache must revalidate pragma: no cache content type: text/html charset=UTF 8 date: Thu 02 Feb 2023 13:37:37 GMT server: LiteSpeed alt svc: quic= :443 ma=2592000 v= 35 39 43 44",
"whitelists are really not the way forward unless you validate the integrity often Speedtest are also being screwed with ie allowing your neural controlled network out on a temp basis to prevent you from ousting the APT controlling your home broadband / wifi network",
"xml version= 1.0 encoding= utf 8 DOCTYPE html PUBLIC //WAPFORUM//DTD XHTML Mobile 1.0//EN http://www.wapforum.org/DTD/xhtml mobile10.dtd html xmlns= http://www.w3.org/1999/xhtml head meta http equiv= Content Type content= text/html charset=utf 8 / title mua bn nh t cho thu nh t sang nhng sang nhng ca hng /title meta name= copyright content= 2010 2020 bds247.vn / meta name= google site verification content= suyiBYZARDnZ4zGeoAiF VajqMQ0pgLGnEm69aZ aIY / meta name= robots content= index follow / meta name= key",
"https://m.bds247.vn//view/js/jquery6_1.js 443",
"https://www.googletagmanager.com/gtag/js?id=G-56M7ZWVN9L",
"https://m.bds247.vn/lib/nivo-slider/slider.js 443 Script",
"https://m.bds247.vn/view/js/page.js 443 Script",
"https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js 443 Script",
"https://m.bds247.vn/lib/pikachoose/lib/jquery.pikachoose.js",
"This is the full text of the XHTML mobile10.dtd.xml, which is based on the code created by the developers of Google's search engine, iPlayer and other sites.",
"https://m.bds247.vn//view/js/jquery6_1.js",
"https://m.bds247.vn/lib/nivo-slider/slider.js",
"https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 802,
"hostname": 392,
"FileHash-SHA256": 82,
"domain": 134,
"FileHash-MD5": 1
},
"indicator_count": 1411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1142 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "62e1ca167a1591e7b4ca1129",
"name": "VirusTotal view-source on https://www.virustotal.com/en/file/undefined/analysis/",
"description": "someone really needs to figure out wtf this is all doing it has to be part of the net.sh",
"modified": "2022-07-28T02:05:04.183000",
"created": "2022-07-27T23:28:22.504000",
"tags": [
"array",
"object",
"typeof t",
"layer1",
"error",
"path",
"function",
"typeerror",
"date",
"svg export",
"span",
"null",
"unknown",
"click",
"february",
"april",
"june",
"august",
"this",
"void",
"bounce",
"string",
"regexp",
"number",
"sxa0",
"amptoken",
"optout",
"notfound",
"contenttype",
"form",
"copyright",
"element",
"polymer project",
"authors",
"bsd style",
"code",
"google",
"software",
"window",
"generator",
"comment",
"trident",
"typeof e",
"typeof symbol",
"typeof btoa",
"btoa",
"typeof reflect",
"boolean",
"customevent",
"plugin",
"build",
"home",
"intelligence",
"graph",
"report",
"urls",
"please",
"javascript",
"https://www.virustotal.com/en/file/undefined/analysis/",
"net.sh"
],
"references": [
"entity%3Aip%20whois%3Ainfo%40anodicnetwork.com.html",
"14.main.bundle.91f9f7ff635e0b797de3.js",
"5.main.bundle.e92e5e24e074f9c2a52b.js",
"0.main.bundle.a9d68f5204cd3ac257b6.js",
"webcomponent-polyfill.js",
"analytics.js",
"12.main.bundle.50be73a11d1d3745a5ee.js",
"\" Page not found Page not found