{
  "type": "Domain",
  "indicator": "excite.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/excite.com",
    "alexa": "http://www.alexa.com/siteinfo/excite.com",
    "indicator": "excite.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain excite.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 1655321,
      "indicator": "excite.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 50,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7e076cbfe2d0f7eb90",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-05-30T00:28:12.957000",
          "created": "2026-04-30T04:37:18.870000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc7a6778f84c179d27073",
          "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
          "description": "",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:31:34.221000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "69efc567ae24b8285a71099d",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1039,
            "hostname": 868,
            "domain": 687,
            "URL": 2226,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 96,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5064,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc567ae24b8285a71099d",
          "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
          "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:21:59.824000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1037,
            "hostname": 865,
            "domain": 685,
            "URL": 2224,
            "FileHash-MD5": 131,
            "FileHash-SHA1": 94,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5051,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d6c7fec016b76d49ed95ae",
          "name": "VirusTotal report\n                    for index.html",
          "description": "shatter",
          "modified": "2026-05-08T22:06:56.603000",
          "created": "2026-04-08T21:26:22.351000",
          "tags": [
            "performs dns",
            "united",
            "https",
            "found",
            "tls version",
            "mitre attack",
            "network info",
            "processes extra",
            "urls",
            "t1055 process",
            "phishing",
            "next",
            "script",
            "doctype html",
            "variablece2034",
            "head"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 442,
            "FileHash-MD5": 245,
            "FileHash-SHA1": 201,
            "FileHash-SHA256": 573,
            "URL": 570,
            "hostname": 1058,
            "email": 3,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 3094,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "22 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f2dc7db0bb5c5cdaec5a6c",
          "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
          "description": "",
          "modified": "2026-04-30T04:53:09.713000",
          "created": "2026-04-30T04:37:17.546000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "66fc29a49b5ac693c8d75122",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3851,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3330,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31781,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "31 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6992bae83a5988dff8311490",
          "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
          "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
          "modified": "2026-04-24T13:20:48.450000",
          "created": "2026-02-16T06:36:24.788000",
          "tags": [
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
            "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
            "#PotentialUS-Origin_FalseFlag_Obfuscation"
          ],
          "references": [
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
            "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
            "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
            "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
            "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
            "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
            "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
            "",
            "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
            "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
            "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
            "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
            "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
            "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
            "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
            "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
            "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
            "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
            "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
            "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
          ],
          "public": 1,
          "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Malware Family: StealthWorker / GoBrut",
              "display_name": "Malware Family: StealthWorker / GoBrut",
              "target": "/malware/Malware Family: StealthWorker / GoBrut"
            },
            {
              "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2166,
            "FileHash-SHA1": 2067,
            "FileHash-SHA256": 3371,
            "domain": 13295,
            "URL": 6860,
            "email": 272,
            "hostname": 4705,
            "SSLCertFingerprint": 268,
            "CVE": 108,
            "CIDR": 6
          },
          "indicator_count": 33118,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 82,
          "modified_text": "37 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b7241a63b7527ac2b04d60",
          "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]",
          "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019  by msudosos notated in  references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]",
          "modified": "2026-04-14T18:06:37.524000",
          "created": "2026-03-15T21:26:50.218000",
          "tags": [
            "man software",
            "destination",
            "port",
            "united",
            "delete",
            "read c",
            "virustotal",
            "patched3_c.akrv",
            "armadillov171",
            "dod",
            "thinkman",
            "win32",
            "trojan",
            "present mar",
            "backdoor",
            "urls",
            "files",
            "unknown",
            "search",
            "china as23724",
            "asnone",
            "artemis",
            "zeppelin",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "suspicious",
            "cloud",
            "logic",
            "et trojan",
            "et info",
            "download",
            "windows",
            "embeddedwb",
            "shellexecuteexw",
            "msie",
            "windows nt",
            "writeconsolew",
            "displayname",
            "service",
            "ids detections",
            "yara detections",
            "crypt",
            "medium",
            "whitelisted",
            "passive dns",
            "worm",
            "mtb may",
            "mtb aug",
            "otx logo",
            "all ipv4",
            "pulse pulses",
            "dynamicloader",
            "yara rule",
            "ff d5",
            "high",
            "reg add",
            "regsz d",
            "write",
            "file type",
            "pexe",
            "pe32",
            "intel",
            "ms windows",
            "pe packer",
            "pm size",
            "pehash",
            "richhash",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "found",
            "over",
            "sha256",
            "sha1",
            "ascii text",
            "size",
            "mitre att",
            "pattern match",
            "null",
            "span",
            "error",
            "body",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "refresh",
            "tools",
            "title",
            "show technique",
            "look",
            "verify",
            "restart",
            "t1480 execution",
            "navy",
            "reputation",
            "adult content",
            "cyber warfare"
          ],
          "references": [
            "AVDetections:  Patched3_c.AKRV",
            "Yara Detections: Armadillov171",
            "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
            "IP\u2019s Contacted:  8.8.8.8  78.46.218.253  74.208.229.157  192.5.41.40",
            "Contacted Domains:  tick.usno.navy.mil www.thinkman.com",
            "AS27064 DOD Network Information Center? |  192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
            "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
            "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
            "AS15169 google llc  | 8.8.8.8\t| dns.google | United States",
            "Email: d4@thinkman.com",
            "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
            "ASN AS27064 dod network information center",
            "Nameservers: dns5.disa.mil. ,  dns4.disa.mil. ,  squad.navo.mil. ,  crnaone.navy.mil. ,  dns1.disa.mil.",
            "Nameservers: squid.navo. ,  squid.navo.mil. ,  dns2.disa.mil. ,  minnow.navo. ,  navy.mil. ,  dns3.disa.mil.",
            "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
            "TrojanDownloader:Win32/Umbald.A\tMalware infection",
            "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
            "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
            "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
            "Alerts: stealth_window packer_entropy uses_windows_utilities",
            "Alerts: console_output antivm_memory_available pe_features",
            "Yara Detections: MS_Visual_Basic_6_0",
            "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
            "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
            "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
            "Alerts:  injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
            "Alerts:  queries_user_name queries_keyboard_layout queries_locale_api",
            "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
            "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
            "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
            "navy.mil \u2022 http://acts.navair.navy.mil \u2022  http://logistics.navair.navy.mil/rcm/",
            "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
            "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
            "444ea032708bb0d940de0ef72b944244 | credit msudosos",
            "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
            "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
            "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
            "DoD related:  192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
            "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
            "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
            "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
            "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
            "mailbox.co.za",
            "fmx32.aig.com \u2022  167.230.105.81",
            "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Patched3_c.AKRV",
              "display_name": "Patched3_c.AKRV",
              "target": null
            },
            {
              "id": "Win32:Agent-ALXE\\ [Rtk]",
              "display_name": "Win32:Agent-ALXE\\ [Rtk]",
              "target": null
            },
            {
              "id": "Win.Trojan.Rootkit-4668",
              "display_name": "Win.Trojan.Rootkit-4668",
              "target": null
            },
            {
              "id": "Trojan:Win32/Tiggre!rfn",
              "display_name": "Trojan:Win32/Tiggre!rfn",
              "target": "/malware/Trojan:Win32/Tiggre!rfn"
            },
            {
              "id": "Win32:Malware-gen",
              "display_name": "Win32:Malware-gen",
              "target": null
            },
            {
              "id": "Win32:Trojan-gen",
              "display_name": "Win32:Trojan-gen",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Tofsee.T",
              "display_name": "Backdoor:Win32/Tofsee.T",
              "target": "/malware/Backdoor:Win32/Tofsee.T"
            },
            {
              "id": "Inject2.BIVE",
              "display_name": "Inject2.BIVE",
              "target": null
            },
            {
              "id": "Crypt3.CHZW",
              "display_name": "Crypt3.CHZW",
              "target": null
            },
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "Crypt3.BXMJ",
              "display_name": "Crypt3.BXMJ",
              "target": null
            },
            {
              "id": "Crypt3.BOQD\t\t Inject2.BHBW",
              "display_name": "Crypt3.BOQD\t\t Inject2.BHBW",
              "target": null
            },
            {
              "id": "Crypt3.BMVU",
              "display_name": "Crypt3.BMVU",
              "target": null
            },
            {
              "id": "Trojan.DownLoader12.43161",
              "display_name": "Trojan.DownLoader12.43161",
              "target": null
            },
            {
              "id": "HEUR/UnSec",
              "display_name": "HEUR/UnSec",
              "target": null
            },
            {
              "id": "ET Trojan",
              "display_name": "ET Trojan",
              "target": null
            },
            {
              "id": "Win32:Trojan-gen",
              "display_name": "Win32:Trojan-gen",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Umbald.A",
              "display_name": "TrojanDownloader:Win32/Umbald.A",
              "target": "/malware/TrojanDownloader:Win32/Umbald.A"
            }
          ],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1156",
              "name": "Malicious Shell Modification",
              "display_name": "T1156 - Malicious Shell Modification"
            },
            {
              "id": "T1587.001",
              "name": "Malware",
              "display_name": "T1587.001 - Malware"
            },
            {
              "id": "T1608.001",
              "name": "Upload Malware",
              "display_name": "T1608.001 - Upload Malware"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1048",
              "name": "Exfiltration Over Alternative Protocol",
              "display_name": "T1048 - Exfiltration Over Alternative Protocol"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1562.001",
              "name": "Disable or Modify Tools",
              "display_name": "T1562.001 - Disable or Modify Tools"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1048.003",
              "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
              "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1048.001",
              "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
              "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1568.002",
              "name": "Domain Generation Algorithms",
              "display_name": "T1568.002 - Domain Generation Algorithms"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            }
          ],
          "industries": [
            "Government",
            "Military",
            "Defense",
            "Insurance"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 165,
            "FileHash-SHA1": 165,
            "FileHash-SHA256": 3524,
            "URL": 11424,
            "email": 1,
            "hostname": 3954,
            "domain": 2523
          },
          "indicator_count": 21756,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "46 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b92a27c47d4e28927364",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:26.110000",
          "created": "2026-03-12T13:01:30.067000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 72,
          "modified_text": "80 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b9295603a6100edfa8c8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:25.387000",
          "created": "2026-03-12T13:01:29.284000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "80 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927aa7f10e82639d204",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.872000",
          "created": "2026-03-12T13:01:27.872000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927c086397130c5d114",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.275000",
          "created": "2026-03-12T13:01:27.275000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b926871746ed8a1bc324",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:26.440000",
          "created": "2026-03-12T13:01:26.440000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b925e85c948d4dd608cc",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:25.852000",
          "created": "2026-03-12T13:01:25.852000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e974189d2c41f07ed8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:25.910000",
          "created": "2026-03-12T13:00:25.910000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e74d2b3effd55f88c3",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:23.173000",
          "created": "2026-03-12T13:00:23.173000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8dfbf8426a7a1d0146d",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:15.427000",
          "created": "2026-03-12T13:00:15.427000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d7123610591625b8fb",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:07.354000",
          "created": "2026-03-12T13:00:07.354000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d61e3f64a8f1f169b6",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:06.214000",
          "created": "2026-03-12T13:00:06.214000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d24eeb4200bdb1d702",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:02.096000",
          "created": "2026-03-12T13:00:02.096000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "80 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "695c8007f67e8b9a6bb276c5",
          "name": "export_USERS 1-14000 / 157705",
          "description": "UAlberta Azure/Entra (partial)\nRelated to Pulse 'Ghosts' [ loads into system files ]",
          "modified": "2026-02-05T03:05:05.683000",
          "created": "2026-01-06T03:22:47.101000",
          "tags": [
            "true",
            "member",
            "guest",
            "invitation",
            "emailverified",
            "notadult",
            "zhang",
            "nguyen",
            "smith",
            "andison",
            "wang",
            "yang",
            "king",
            "pandit",
            "martin",
            "hong",
            "murray",
            "davis",
            "perez",
            "kremp",
            "walker",
            "rush",
            "ding",
            "cheng",
            "jarvis",
            "casey",
            "blank",
            "jason",
            "hope",
            "shang",
            "lambert",
            "hare",
            "hustler",
            "nichols",
            "james",
            "wong",
            "patel",
            "grewal",
            "rana",
            "jaber",
            "david",
            "hawkshaw",
            "jackson",
            "hunter",
            "horn",
            "modi",
            "baixue",
            "chen",
            "reid",
            "mendoza",
            "bone",
            "dada",
            "stepan",
            "fisher",
            "roma",
            "barry",
            "moran",
            "goodwin",
            "tack",
            "baran",
            "donald",
            "pedro",
            "green",
            "dennis",
            "stop",
            "kaneria",
            "duke",
            "goli",
            "bach",
            "hwang",
            "hill",
            "mark",
            "victor",
            "pino",
            "little",
            "misa",
            "gloria",
            "mesina",
            "matta",
            "shen",
            "splinter",
            "sohana",
            "alex",
            "jean",
            "madro",
            "coco",
            "zhao",
            "support",
            "lynda",
            "daniel",
            "info",
            "brick",
            "wagner",
            "stark",
            "starr",
            "dorn",
            "repka",
            "heck",
            "park",
            "tang",
            "multiple1162021",
            "alexander",
            "gibbon",
            "calgary",
            "matthew",
            "bian",
            "shah",
            "johnson",
            "delfs",
            "morrison",
            "flood",
            "black",
            "valencia",
            "bredo",
            "singh",
            "chan",
            "ahmed",
            "salm",
            "faisal",
            "agena",
            "bella",
            "crow",
            "yurkiw",
            "xgygy0094",
            "huang",
            "trinity",
            "aris",
            "alisa",
            "cardinal",
            "wolf",
            "corona",
            "abbas",
            "rasim",
            "asher",
            "motil",
            "xena",
            "hammer",
            "hack",
            "chin",
            "odysseus",
            "otto",
            "jain",
            "joshi",
            "hole",
            "daum",
            "stack",
            "murphy",
            "leon",
            "meadwell",
            "owumi",
            "royce",
            "luna",
            "eddie",
            "stone",
            "stang",
            "code",
            "paradis",
            "zhen",
            "sood",
            "pepper",
            "mill",
            "cassidy",
            "blade",
            "minimo",
            "sweet",
            "toal"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 5,
            "domain": 243,
            "email": 14365,
            "hostname": 104
          },
          "indicator_count": 14717,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 130,
          "modified_text": "115 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "687992eceac6f12e9cebd65f",
          "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
          "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
          "modified": "2025-12-28T19:04:27.449000",
          "created": "2025-07-18T00:18:50.968000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 375,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 7,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "privacynotacrime",
            "id": "349346",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 123,
          "modified_text": "153 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6854082f2edb40c1c80b0831",
          "name": "JSDdelivr blocklist",
          "description": "",
          "modified": "2025-06-19T14:28:09.610000",
          "created": "2025-06-19T12:53:03.734000",
          "tags": [],
          "references": [
            "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 18,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 5675,
            "hostname": 171
          },
          "indicator_count": 5846,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 183,
          "modified_text": "346 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66fc29a49b5ac693c8d75122",
          "name": "Medical Campus - Aurora, Co | Recheck",
          "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
          "modified": "2024-10-31T16:03:52.240000",
          "created": "2024-10-01T16:56:04.004000",
          "tags": [
            "united",
            "as397240",
            "search",
            "showing",
            "as54113",
            "as397241",
            "unknown",
            "moved",
            "creation date",
            "record value",
            "next",
            "date",
            "body",
            "a domains",
            "passive dns",
            "formbook cnc",
            "checkin",
            "entries",
            "github pages",
            "sea x",
            "accept",
            "status",
            "name servers",
            "certificate",
            "urls",
            "aaaa",
            "cname",
            "meta",
            "whitelisted ip",
            "address",
            "location united",
            "asn as36459",
            "github",
            "less whois",
            "registrar",
            "markmonitor",
            "related tags",
            "as36459",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "ninite",
            "expiration date",
            "domain",
            "hostname",
            "sha256",
            "sha1",
            "ascii text",
            "pattern match",
            "document file",
            "v2 document",
            "utf8",
            "crlf line",
            "beginstring",
            "size",
            "null",
            "hybrid",
            "refresh",
            "span",
            "local",
            "click",
            "strings",
            "error",
            "tools",
            "look",
            "verify",
            "restart",
            "contact",
            "url https",
            "tulach type",
            "role title",
            "added active",
            "pulses url",
            "url http",
            "nextc type",
            "type indicator",
            "related pulses",
            "filehashsha256",
            "copyright",
            "ipv6",
            "germany",
            "italy",
            "trojan",
            "trojanspy",
            "worm",
            "trojanclicker",
            "virtool",
            "service",
            "linux x8664",
            "khtml",
            "gecko",
            "veryhigh",
            "redirect",
            "httpsupgrades",
            "collisionbox",
            "runner",
            "gameoverpanel",
            "trex",
            "orgtechhandle",
            "orgtechref",
            "director",
            "university",
            "nethandle",
            "net168",
            "net1680000",
            "ucha",
            "orgid",
            "east",
            "report spam",
            "as8075",
            "servers",
            "secure server",
            "error all",
            "typeof",
            "error f",
            "crazy doll",
            "created",
            "filehashmd5",
            "types of",
            "russia",
            "emotet type",
            "mirai type",
            "mirai",
            "mtb description",
            "win32 type",
            "as31034 aruba",
            "italy unknown",
            "as19527 google",
            "encrypt",
            "health type",
            "miori hackers",
            "brute force",
            "backdoor",
            "aurora",
            "ip address",
            "path",
            "unis",
            "dotcisoffer",
            "bladabindi",
            "artro",
            "script urls",
            "as46606",
            "brazil unknown",
            "as11284",
            "as10906",
            "apache",
            "lanc type",
            "telper",
            "win32",
            "win64",
            "pulses email",
            "as9009 m247",
            "as7296 alchemy",
            "as14061",
            "as16276",
            "trojandropper",
            "ransom",
            "mtb sep",
            "msie",
            "chrome",
            "ip check",
            "gmt content",
            "pulse submit",
            "url analysis",
            "files ip",
            "aaaa nxdomain",
            "nxdomain",
            "a nxdomain",
            "as22612",
            "dnssec",
            "meta http",
            "accept encoding",
            "request id",
            "united kingdom",
            "div div",
            "arial helvetica",
            "emails",
            "as15169 google",
            "cryp",
            "gmt cache",
            "sameorigin",
            "domain name",
            "code",
            "false",
            "command type",
            "roleselfservice",
            "mcig sep",
            "all search",
            "author avatar",
            "days ago",
            "http",
            "related nids",
            "files location",
            "as30081",
            "gmt contenttype",
            "mozilla",
            "as15133 verizon",
            "whitelisted",
            "meta name",
            "robots content",
            "x ua",
            "ieedge chrome1",
            "incapsula",
            "request",
            "softcnapp",
            "overview ip",
            "flag united",
            "files related",
            "as62597 nsone",
            "as31898 oracle",
            "mtb aug",
            "class",
            "twitter",
            "april",
            "secure",
            "httponly",
            "expiresthu",
            "pragma",
            "as13414 twitter",
            "smoke loader",
            "reverse dns",
            "asnone united",
            "idlogin sep",
            "uid38009",
            "expiration",
            "hack type",
            "porn type"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Italy",
            "Aruba"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 53,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3850,
            "FileHash-MD5": 6012,
            "FileHash-SHA1": 5906,
            "domain": 3329,
            "email": 33,
            "hostname": 4231,
            "CVE": 2,
            "FileHash-SHA256": 8407,
            "CIDR": 2,
            "SSLCertFingerprint": 7
          },
          "indicator_count": 31779,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 236,
          "modified_text": "577 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f100d791f9f9f6ab7b4f24",
          "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
          "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
          "modified": "2024-10-23T05:03:21.045000",
          "created": "2024-09-23T05:47:03.625000",
          "tags": [
            "isp charter",
            "usage type",
            "fixed line",
            "isp hostname",
            "domain name",
            "country united",
            "america city",
            "denver",
            "colorado",
            "ip address",
            "whois",
            "check",
            "information isp",
            "inc usage",
            "type fixed",
            "line isp",
            "hostname",
            "plesk forum",
            "centos web",
            "panel forum",
            "whois lookup",
            "netrange",
            "nethandle",
            "net107",
            "net1070000",
            "cc3517",
            "inc orgid",
            "dr city",
            "stateprov",
            "postalcode",
            "status",
            "as7843 charter",
            "united",
            "name servers",
            "passive dns",
            "urls",
            "domain",
            "search",
            "emails",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "files",
            "reverse dns",
            "location united",
            "win32",
            "abuseipdb",
            "read",
            "write",
            "read c",
            "server header",
            "show",
            "suspicious",
            "kelihos",
            "trojan",
            "artemis",
            "virustotal",
            "download",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "specified",
            "next",
            "et trojan",
            "et info",
            "medium",
            "http",
            "ids detections",
            "yara detections",
            "e98c1cec8156",
            "as11426 charter",
            "as20001 charter",
            "as11427 charter",
            "as11351 charter",
            "as16787 charter",
            "as33363 charter",
            "as20115 charter",
            "as10796 charter",
            "as12271 charter",
            "body",
            "servers",
            "all search",
            "entries",
            "intel",
            "ms windows",
            "windows nt",
            "destination",
            "port",
            "asnone",
            "heurunsec",
            "etpro trojan",
            "nxdomain",
            "a nxdomain",
            "aaaa",
            "asnone united",
            "aaaa nxdomain",
            "backdoor",
            "pulse submit",
            "url analysis",
            "location oxford",
            "as3456 charter",
            "moved",
            "showing",
            "body doctype",
            "html public",
            "ietfdtd html",
            "as6976 verizon",
            "as701 verizon",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "levelblue",
            "related pulses",
            "pulse pulses",
            "kryptikpii",
            "msr apr",
            "date",
            "creation date",
            "analyzer paste",
            "iocs",
            "samples",
            "secure server",
            "cname",
            "as5742",
            "body head",
            "object moved",
            "content length",
            "content type",
            "cookie",
            "as15133 verizon",
            "lowfi",
            "gmt server",
            "ecacc",
            "record value",
            "oxford",
            "michigan",
            "ns nxdomain",
            "soa nxdomain",
            "url http",
            "mitre att",
            "evasion ta0005",
            "creates",
            "discovery t1082",
            "reads software",
            "file",
            "t1083 reads",
            "jujubox",
            "zenbox",
            "get http",
            "request",
            "host",
            "win64",
            "khtml",
            "gecko",
            "response",
            "cus cndigicert",
            "tls rsa",
            "user",
            "javascript c",
            "doscom c",
            "text c",
            "files c",
            "storage",
            "file system",
            "filesadobe c",
            "appdata",
            "appdatalocal",
            "hostnames",
            "ta0002 command",
            "t1059 very",
            "t1064",
            "javascript",
            "modules t1129",
            "ta0003 create",
            "modify system",
            "process t1543",
            "windows service",
            "cisco umbrella",
            "blacklist",
            "safe site",
            "filerepmalware",
            "microsoft",
            "phishing bank",
            "sgeneric",
            "malware site",
            "unsafe",
            "number",
            "cus cngts",
            "ogoogle trust",
            "subject",
            "algorithm",
            "cus ouserver",
            "ouserver ca",
            "record type",
            "ttl value",
            "msms86718722",
            "query",
            "open",
            "capa",
            "create process",
            "windows create",
            "delete file",
            "write file",
            "windows check",
            "os version",
            "enumerate",
            "hashes",
            "signals mutexes",
            "mutexes",
            "open threat",
            "location los",
            "emails info",
            "expiration date",
            "write c",
            "process32nextw",
            "regsetvalueexa",
            "regdword",
            "module load",
            "t1129",
            "as51167 contabo",
            "germany unknown",
            "as40021 contabo",
            "encrypt",
            "hosting",
            "netherlands asn",
            "as204601 zomro",
            "pulses",
            "tags",
            "related tags",
            "indicator facts",
            "historical otx",
            "files ip",
            "asnone germany",
            "as174 cogent",
            "czechia unknown",
            "whitelisted",
            "certificate",
            "bittorrent dht",
            "post http",
            "et p2p",
            "cryptexportkey",
            "invalid pointer",
            "delete c",
            "post utcore",
            "benchhttp",
            "mozilla",
            "maldoc",
            "service",
            "tools",
            "nids",
            "et",
            "x95xd3xa4",
            "regbinary",
            "hx88x89",
            "kx82xd3x11",
            "xb9x8b",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "stream",
            "persistence",
            "execution",
            "dynamicloader",
            "contacted",
            "domains",
            "yara rule",
            "high",
            "dynamic",
            "pcap",
            "pushdo",
            "msie",
            "activity beacon",
            "malware beacon",
            "default",
            "redacted for",
            "for privacy",
            "as3379 kaiser",
            "server",
            "gmt content",
            "type",
            "x frame",
            "entries http",
            "scans show",
            "domain related",
            "no data",
            "tag count",
            "fakedout threat",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "components",
            "zune",
            "etpro",
            "nod32",
            "avast avg",
            "next http",
            "example domain",
            "title meta",
            "invalid url",
            "akamai",
            "urls http",
            "as20940",
            "as16625 akamai",
            "netherlands",
            "germany",
            "france",
            "virtool",
            "rock",
            "address",
            "apache",
            "accept",
            "as8075",
            "pulse http",
            "related nids",
            "files location",
            "moldova related",
            "pulses none",
            "as31898 oracle",
            "title",
            "kryptiklfq",
            "win32dh",
            "vitro",
            "shutdown",
            "erase",
            "find",
            "close",
            "as53418",
            "hat server",
            "as797 att",
            "script urls",
            "a domains",
            "as10753 level",
            "script script",
            "meta",
            "path",
            "null",
            "stop",
            "as54113",
            "chrome",
            "as7018 att",
            "as28521",
            "mexico unknown",
            "fastly error",
            "please",
            "sea p",
            "object",
            "set cookie",
            "pragma",
            "as19536 directv",
            "united kingdom",
            "as60664 xion",
            "trojan features",
            "moldova unknown",
            "susp",
            "breaking news",
            "business",
            "finance",
            "entertainment",
            "sports",
            "games",
            "trending videos",
            "weather",
            "home",
            "as396982 google",
            "url https",
            "type indicator",
            "role title",
            "added active",
            "cyberfolks",
            ".pl",
            "level 3"
          ],
          "references": [
            "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
            "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
            "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
            "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
            "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
            "IDS Detections: Suspicious double Server Header Possible Kelihos",
            "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
            "telemetry-incoming.r53-2.services.mozilla.com",
            "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
            "http://www.door.net/ARISBE/arisbe.htm",
            "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
            "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Hungary",
            "Ukraine",
            "Spain",
            "Brazil",
            "Russian Federation",
            "Moldova, Republic of",
            "Japan",
            "Ireland",
            "Luxembourg",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Cerber Ransomware",
              "display_name": "Cerber Ransomware",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Inject3.QGY",
              "display_name": "Inject3.QGY",
              "target": null
            },
            {
              "id": "Kelihos",
              "display_name": "Kelihos",
              "target": null
            },
            {
              "id": "ETPRO",
              "display_name": "ETPRO",
              "target": null
            },
            {
              "id": "NOD32",
              "display_name": "NOD32",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Sf:ShellCode-AU\\ [Trj]",
              "display_name": "Sf:ShellCode-AU\\ [Trj]",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba",
              "display_name": "Trojan:Win32/Glupteba",
              "target": "/malware/Trojan:Win32/Glupteba"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2060,
            "hostname": 3067,
            "CIDR": 4,
            "URL": 1300,
            "email": 29,
            "FileHash-MD5": 3181,
            "FileHash-SHA1": 1994,
            "FileHash-SHA256": 3228,
            "CVE": 2,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 14866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "585 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66e5f78f4505e0f1ed2b169a",
          "name": "Crypt3.BXVC",
          "description": "",
          "modified": "2024-10-14T20:01:07.396000",
          "created": "2024-09-14T20:52:31.163000",
          "tags": [
            "asnone",
            "as15169",
            "as16417 cisco",
            "as26211",
            "as22843",
            "as36647 oath",
            "as3356 level",
            "as36646 oath",
            "telecom"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "United Kingdom of Great Britain and Northern Ireland",
            "Georgia",
            "Canada",
            "Brazil",
            "Ireland",
            "India",
            "Singapore",
            "Spain",
            "Japan",
            "Belgium",
            "South Africa",
            "China",
            "Italy",
            "Aruba",
            "Germany",
            "Ukraine"
          ],
          "malware_families": [
            {
              "id": "Crypt3.BXVC",
              "display_name": "Crypt3.BXVC",
              "target": null
            },
            {
              "id": "WS.Reputation.1",
              "display_name": "WS.Reputation.1",
              "target": null
            },
            {
              "id": "Backdoor.Win32.Hlux.csf",
              "display_name": "Backdoor.Win32.Hlux.csf",
              "target": null
            },
            {
              "id": "Trojan.Downloader.JRJV",
              "display_name": "Trojan.Downloader.JRJV",
              "target": null
            },
            {
              "id": "Trojan.DownLoader12.20457",
              "display_name": "Trojan.DownLoader12.20457",
              "target": null
            },
            {
              "id": "TROJ_SPNV.01B615",
              "display_name": "TROJ_SPNV.01B615",
              "target": null
            },
            {
              "id": "Troj/HkMain-CC",
              "display_name": "Troj/HkMain-CC",
              "target": null
            },
            {
              "id": "Trojan/Win32.Ransom",
              "display_name": "Trojan/Win32.Ransom",
              "target": null
            }
          ],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "skocherhan",
            "id": "249290",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 100,
            "FileHash-SHA1": 100,
            "FileHash-SHA256": 175,
            "domain": 712,
            "hostname": 657,
            "URL": 1
          },
          "indicator_count": 1745,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 186,
          "modified_text": "593 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66c235b05007103d3e3e7038",
          "name": "HCA -  Win32:RansomX-gen affecting HCA (HealthOneCares) + Miscellaneous Attacks",
          "description": "HCA (Health One Cares) affected by a RansomX and various serious attacks. It's linked back to a neurosurgeon who is likely not responsible for attack of course. It has been the same,e group of attackers using Samuel Tulach engineered malware. I'm unsure if there is collusion between Brian Sabey (consistent attacker) and Samuel Tulach. I just know it relates back to the same threat actors that have been hacking healthcare facilities, government offices, telecommunications, technology at health centers abusing webcams and patients records modification, and distribution. PHI PII issues.",
          "modified": "2024-09-17T17:01:24.349000",
          "created": "2024-08-18T17:56:00.485000",
          "tags": [
            "blacklist http",
            "safe site",
            "no data",
            "tag count",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "samples",
            "detection list",
            "cisco umbrella",
            "site",
            "alexa top",
            "united",
            "million",
            "mail spammer",
            "malicious site",
            "phishing site",
            "team phishing",
            "tofsee",
            "malware",
            "bank",
            "unsafe",
            "azorult",
            "cobalt strike",
            "service",
            "runescape",
            "facebook",
            "download",
            "zbot",
            "installcore",
            "nymaim",
            "suppobox",
            "malicious",
            "cl0p",
            "inmortal",
            "domains",
            "referrer",
            "historical ssl",
            "apple stuff",
            "combined",
            "hr rtd",
            "network",
            "collection",
            "vt graph",
            "round",
            "metro",
            "execution",
            "emotet",
            "startpage",
            "maltiverse top",
            "paypal",
            "blacklist",
            "passive dns",
            "related nids",
            "urls",
            "flag united",
            "accept",
            "acceptencoding",
            "hit age",
            "ip asn",
            "malware site",
            "adware",
            "fakealert",
            "opencandy",
            "exploit",
            "raccoon",
            "metastealer",
            "redline stealer",
            "anonymizer",
            "heur",
            "outlook",
            "phishing airbnb",
            "engineering",
            "phishing",
            "filerepmalware",
            "maltiverse",
            "div div",
            "c span",
            "div section",
            "span div",
            "search",
            "showing",
            "unknown",
            "as397240",
            "moved",
            "date",
            "body",
            "as54113",
            "github pages",
            "a domains",
            "entries",
            "mtb jul",
            "class",
            "sea x",
            "scan endpoints",
            "all scoreblue",
            "alf features",
            "related pulses",
            "file samples",
            "files matching",
            "show",
            "date hash",
            "next",
            "worm",
            "dynamicloader",
            "yara rule",
            "high",
            "windows",
            "grum",
            "medium",
            "installs",
            "windows startup",
            "application",
            "stream",
            "as22612",
            "ipv4",
            "pulse pulses",
            "files",
            "switch dns",
            "query",
            "data",
            "noname057",
            "password",
            "cybercrime",
            "malicious url",
            "kuaizip",
            "team",
            "downloader",
            "generic",
            "crack",
            "presenoker",
            "dapato",
            "riskware",
            "genkryptik",
            "fuery",
            "agent",
            "wacatac",
            "union",
            "shellexecuteexw",
            "hash",
            "writeconsolew",
            "registry",
            "t1031",
            "trojan",
            "copy",
            "dock",
            "write",
            "win32",
            "file execution",
            "explorer",
            "alerts",
            "checks",
            "bios",
            "system restore",
            "anne",
            "training",
            "strings http",
            "basic telephone",
            "xsl stylesheets",
            "apache fop",
            "createdate",
            "modifydate",
            "producer apache",
            "format",
            "core",
            "nxscspu",
            "zsextbzusbrvsk",
            "pxnzj",
            "jwxkrhdlrivprs",
            "default",
            "qxrfnjuodik",
            "mncau",
            "csqvrkwsqka",
            "testpath path",
            "else",
            "null",
            "suspicious",
            "win64",
            "hotkey",
            "ransom",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "push"
          ],
          "references": [
            "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.",
            "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render",
            "Adversary: https://github.com/SamuelTulach/VirusTotalUploader",
            "https://work.a-poster.info",
            "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928",
            "Emotet:   FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f",
            "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f",
            "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
            "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32",
            "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg.  http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "Antivirus Detections Other:Malware-gen\\ [Trj] ,  ALF:TrojanDownloader:PowerShell/Ploprolo.DB  Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell",
            "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)",
            "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent",
            "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http",
            "Antivirus Detections: Win.Malware.Moonlight-9919383-0 ,  Worm:Win32/Lightmoon.H",
            "Yara Detections: Nrv2x ,  upx_3 ,  UPX_OEP_place ,  UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX",
            "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files",
            "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Cl0p",
              "display_name": "Cl0p",
              "target": null
            },
            {
              "id": "Inmortal",
              "display_name": "Inmortal",
              "target": null
            },
            {
              "id": "Domains",
              "display_name": "Domains",
              "target": null
            },
            {
              "id": "ALF:Trojan:Win32/Cassini_f28c33a2",
              "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn",
              "display_name": "ALF:HeraklezEval:Worm:Win32/Mimail!rfn",
              "target": null
            },
            {
              "id": "Tulach Malware",
              "display_name": "Tulach Malware",
              "target": null
            },
            {
              "id": "Trojan:Win32/Emotet.YL",
              "display_name": "Trojan:Win32/Emotet.YL",
              "target": "/malware/Trojan:Win32/Emotet.YL"
            },
            {
              "id": "Win32:RansomX-gen\\ [Ransom]",
              "display_name": "Win32:RansomX-gen\\ [Ransom]",
              "target": null
            },
            {
              "id": "Worm:Win32/Lightmoon.H",
              "display_name": "Worm:Win32/Lightmoon.H",
              "target": "/malware/Worm:Win32/Lightmoon.H"
            },
            {
              "id": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB",
              "display_name": "ALF:TrojanDownloader:PowerShell/Ploprolo.DB",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            }
          ],
          "industries": [
            "Civilian Society",
            "Technology",
            "Healthcare",
            "Telecommunications",
            "Media"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 50,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 891,
            "FileHash-MD5": 2368,
            "FileHash-SHA1": 1873,
            "FileHash-SHA256": 5092,
            "domain": 648,
            "hostname": 557,
            "CVE": 8,
            "email": 2
          },
          "indicator_count": 11439,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "621 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "669f882c5109175fe742fe58",
          "name": "(I Cloned Title & Pulse) WHO EVERYONE HAS BEEN LOOKING FOR  [Pulse of  IoC's Curated  by user Streaming Ex]",
          "description": "",
          "modified": "2024-07-23T10:38:36.002000",
          "created": "2024-07-23T10:38:36.002000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65709e14974bdb5d6dbda091",
          "export_count": 12,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2066,
            "URL": 1939,
            "hostname": 2768,
            "FileHash-SHA256": 276,
            "email": 90,
            "CVE": 47,
            "CIDR": 1,
            "FileHash-MD5": 16,
            "FileHash-SHA1": 4
          },
          "indicator_count": 7207,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "677 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66480cb1cc174fd804e0cef9",
          "name": "Elgoogle",
          "description": "",
          "modified": "2024-05-18T02:12:28.801000",
          "created": "2024-05-18T02:04:33.967000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65709f0bbdd32cb4b343a12f",
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Elgoogle",
            "id": "281171",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2218,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1175,
            "hostname": 2514,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 35
          },
          "indicator_count": 44904,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 8,
          "modified_text": "743 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65c5e50dda752af9eab50933",
          "name": "Side 3 Studios Pegasus Attack Denver, Co \u2022 SkyNet BotNetwork",
          "description": "Pegasus abuse by an alleged legal team with the malware hosting DGA domain https://hallrender.com. Related to an ongoing attack by a M.Brian Sabey who has fixated on a non criminal target. It's frightening to see the carelessness of the Cellebrite tool at work. \nAccording to all written accounts Side 3 provides services to Grammy award winning, nominated and aspiring artists. If you're heard of them , they've recorded there. There is evidence of music file transfers possibly, illegally sold to well known artist. This may have been done without knowledge of studio representatives. More likely by a hacker who boldly informed.",
          "modified": "2024-03-10T08:03:07.690000",
          "created": "2024-02-09T08:40:45.976000",
          "tags": [
            "malware",
            "pegasus",
            "cellbrite",
            "targets sa",
            "survivor",
            "referrer",
            "contacted urls",
            "contacted",
            "whois record",
            "hr rtd",
            "execution",
            "ssl certificate",
            "communicating",
            "skynet",
            "malicious",
            "csc corporate",
            "domains",
            "code",
            "t services",
            "date",
            "saint louis",
            "server",
            "registrar abuse",
            "whois lookups",
            "tech email",
            "threat roundup",
            "july",
            "march",
            "june",
            "files",
            "august",
            "phishing",
            "service",
            "amadey",
            "blacknet rat",
            "roundup",
            "magecart",
            "powershell",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "gmt vary",
            "gmt connection",
            "link",
            "studio",
            "side",
            "studios",
            "downtown denver",
            "colorado",
            "studios og",
            "html info",
            "title denver",
            "studios meta",
            "tags og",
            "hallrender",
            "mark brian sabey",
            "tulach",
            "passive dns",
            "urls",
            "scan endpoints",
            "all octoseek",
            "hostname",
            "pulse submit",
            "url analysis",
            "domain",
            "files ip",
            "united",
            "as36646 oath",
            "unknown",
            "body doctype",
            "yahoo title",
            "x ua",
            "ieedge chrome1",
            "possible",
            "as19137 epsilon",
            "ipv4",
            "pulse pulses",
            "body",
            "headers nel",
            "contentencoding",
            "connection",
            "access control",
            "search",
            "address",
            "domain robot",
            "record value",
            "next",
            "parking crew",
            "tracking",
            "tsara brashears",
            "targeting",
            "as20940",
            "aaaa",
            "as714 apple",
            "as16625 akamai",
            "win32mydoom feb",
            "name servers",
            "as6185 apple",
            "creation date",
            "trojan",
            "virtool",
            "worm",
            "servers",
            "expiration date",
            "moved",
            "certificate",
            "showing",
            "entries"
          ],
          "references": [
            "adsl-074-168-130-217.sip.pns.bellsouth.net",
            "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
            "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm",
            "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]",
            "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios",
            "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21",
            "https://otx.alienvault.com/indicator/ip/74.6.231.21",
            "nr-data.net [Apple Private Data Collection]",
            "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]",
            "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]"
          ],
          "public": 1,
          "adversary": "NSO GROUP",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "AMADEY",
              "display_name": "AMADEY",
              "target": null
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "BlackNET RAT",
              "display_name": "BlackNET RAT",
              "target": null
            },
            {
              "id": "Possible",
              "display_name": "Possible",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 27,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3263,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 125,
            "FileHash-SHA256": 2596,
            "domain": 1168,
            "hostname": 1877,
            "CVE": 2,
            "email": 6
          },
          "indicator_count": 9170,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "812 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b806e2724db65b47cf66e0",
          "name": "AiCloud - Comcast Dnspionage",
          "description": "",
          "modified": "2024-02-27T19:04:14.842000",
          "created": "2024-01-29T20:13:22.271000",
          "tags": [
            "prefetch8",
            "command decode",
            "prefetch1",
            "suricata ipv4",
            "suricata udpv4",
            "mitre att",
            "united",
            "ck id",
            "show technique",
            "ck matrix",
            "date",
            "hybrid",
            "general",
            "click",
            "strings",
            "contact",
            "passive dns",
            "as7922 comcast",
            "x ua",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "meta",
            "status",
            "creation date",
            "search",
            "record value",
            "expiration date",
            "name servers",
            "next",
            "ai cloud",
            "cname",
            "as7018 att",
            "win32",
            "entries",
            "unknown",
            "body",
            "no redirect",
            "dynamicloader",
            "msie",
            "windows nt",
            "as16509",
            "medium",
            "default",
            "show",
            "copy",
            "powershell",
            "write",
            "pegasus",
            "apple mobile",
            "content",
            "nso group",
            "apple web",
            "apple app capable",
            "typosquatting",
            "spyware",
            "epoch"
          ],
          "references": [
            "c-67-181-73-197.hsd1.ca.comcast.net",
            "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259",
            "identity_helper.exe"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "AndroidOverlayMalware - MOB-S0012",
              "display_name": "AndroidOverlayMalware - MOB-S0012",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65b6b54d59d24b1522364fd6",
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 522,
            "URL": 1194,
            "domain": 440,
            "FileHash-SHA256": 1528,
            "CVE": 1,
            "email": 2,
            "FileHash-MD5": 297,
            "FileHash-SHA1": 297
          },
          "indicator_count": 4281,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "823 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65b6b54d59d24b1522364fd6",
          "name": "AiCloud - Comcast Dnspionage",
          "description": "AiCloud, a cloud-based app that connects to Apple and Google, has been compromised by a malicious virus.",
          "modified": "2024-02-27T19:04:14.842000",
          "created": "2024-01-28T20:13:01.311000",
          "tags": [
            "prefetch8",
            "command decode",
            "prefetch1",
            "suricata ipv4",
            "suricata udpv4",
            "mitre att",
            "united",
            "ck id",
            "show technique",
            "ck matrix",
            "date",
            "hybrid",
            "general",
            "click",
            "strings",
            "contact",
            "passive dns",
            "as7922 comcast",
            "x ua",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "meta",
            "status",
            "creation date",
            "search",
            "record value",
            "expiration date",
            "name servers",
            "next",
            "ai cloud",
            "cname",
            "as7018 att",
            "win32",
            "entries",
            "unknown",
            "body",
            "no redirect",
            "dynamicloader",
            "msie",
            "windows nt",
            "as16509",
            "medium",
            "default",
            "show",
            "copy",
            "powershell",
            "write",
            "pegasus",
            "apple mobile",
            "content",
            "nso group",
            "apple web",
            "apple app capable",
            "typosquatting",
            "spyware",
            "epoch"
          ],
          "references": [
            "c-67-181-73-197.hsd1.ca.comcast.net",
            "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259",
            "identity_helper.exe"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Pegasus",
              "display_name": "Pegasus",
              "target": null
            },
            {
              "id": "AndroidOverlayMalware - MOB-S0012",
              "display_name": "AndroidOverlayMalware - MOB-S0012",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 522,
            "URL": 1194,
            "domain": 440,
            "FileHash-SHA256": 1528,
            "CVE": 1,
            "email": 2,
            "FileHash-MD5": 297,
            "FileHash-SHA1": 297
          },
          "indicator_count": 4281,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "823 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659560d63178b32f07838efb",
          "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|",
          "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering,  spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.",
          "modified": "2024-02-02T12:04:41.638000",
          "created": "2024-01-03T13:27:50.685000",
          "tags": [
            "ioc search",
            "new ioc",
            "teams api",
            "contact",
            "threat analyzer",
            "threat",
            "paste",
            "iocs",
            "hostnames",
            "urls https",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "unsafeeval",
            "path",
            "expiressat",
            "auto",
            "wheels online",
            "o tires",
            "shop tires",
            "html info",
            "title shop",
            "tires",
            "meta tags",
            "big o",
            "tires language",
            "name verdict",
            "falcon sandbox",
            "samples",
            "localappdata",
            "json data",
            "temp",
            "getprocaddress",
            "ascii text",
            "windir",
            "file",
            "indicator",
            "mitre att",
            "ck id",
            "factory",
            "hybrid",
            "model",
            "comspec",
            "ssl certificate",
            "whois record",
            "execution",
            "contacted",
            "historical ssl",
            "whois whois",
            "simda http",
            "collections",
            "historical",
            "dropped",
            "backdoor",
            "unknown",
            "united",
            "asnone",
            "show",
            "entries",
            "search",
            "intel",
            "ms windows",
            "pe32",
            "windows nt",
            "copy",
            "write",
            "logic",
            "download",
            "malware",
            "suspicious",
            "next",
            "destination",
            "port",
            "components",
            "globalnpf",
            "china as23724",
            "music",
            "data c",
            "mexico",
            "as15169 google",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "win32",
            "united kingdom",
            "explorer",
            "xserver",
            "mtb aug",
            "location united",
            "america asn",
            "open",
            "trojan",
            "worm",
            "dataadobereader",
            "as397240",
            "msie",
            "etpro trojan",
            "virgin islands",
            "script urls",
            "creation date",
            "record value",
            "date",
            "a domains",
            "all search",
            "otx octoseek",
            "url http",
            "http",
            "related nids",
            "pulse http",
            "url https",
            "files location",
            "as20940",
            "aaaa",
            "as2914 ntt",
            "canada unknown",
            "japan unknown",
            "as16625 akamai",
            "domain",
            "hostname",
            "gmt content",
            "gmt report",
            "0 report",
            "sea alt",
            "body",
            "encrypt",
            "social engineering",
            "revenge rat",
            "rat",
            "identity theft",
            "credit card",
            "referrer",
            "communicating",
            "bundled",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "quasar rat",
            "dark power",
            "swisyn",
            "wiper",
            "ransomware",
            "cobalt strike",
            "attack",
            "core",
            "emotet",
            "exploit",
            "hacktool",
            "mail spammer",
            "as63949 linode",
            "mtb dec",
            "checkin m1",
            "trojanspy",
            "artro",
            "remote",
            "infostealer"
          ],
          "references": [
            "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Ukraine",
            "Georgia",
            "India",
            "Hong Kong",
            "Canada",
            "China",
            "Indonesia",
            "South Africa",
            "Germany",
            "Slovenia",
            "Mexico",
            "Netherlands",
            "Japan",
            "Spain",
            "Argentina",
            "France",
            "Chile",
            "Italy",
            "Aruba",
            "Switzerland",
            "United Kingdom of Great Britain and Northern Ireland",
            "Denmark",
            "Poland",
            "Colombia",
            "Taiwan",
            "Bulgaria",
            "Austria",
            "Russian Federation",
            "Australia",
            "Philippines",
            "Norway",
            "Sweden"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Comspec",
              "display_name": "Trojan:Win32/Comspec",
              "target": "/malware/Trojan:Win32/Comspec"
            },
            {
              "id": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Simda",
              "display_name": "Backdoor:Win32/Simda",
              "target": "/malware/Backdoor:Win32/Simda"
            },
            {
              "id": "Crypt3.BLXP",
              "display_name": "Crypt3.BLXP",
              "target": null
            },
            {
              "id": "PWS:Win32/VB.CU",
              "display_name": "PWS:Win32/VB.CU",
              "target": "/malware/PWS:Win32/VB.CU"
            },
            {
              "id": "Trojan:MSIL/ClipBanker.GB!MTB",
              "display_name": "Trojan:MSIL/ClipBanker.GB!MTB",
              "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB"
            },
            {
              "id": "Virus:Win32/Floxif.H",
              "display_name": "Virus:Win32/Floxif.H",
              "target": "/malware/Virus:Win32/Floxif.H"
            },
            {
              "id": "Win.Packed.Zusy-7170176-0",
              "display_name": "Win.Packed.Zusy-7170176-0",
              "target": null
            },
            {
              "id": "Win.Trojan.Zbot-9880005-0",
              "display_name": "Win.Trojan.Zbot-9880005-0",
              "target": null
            },
            {
              "id": "'Win32:Trojan-gen",
              "display_name": "'Win32:Trojan-gen",
              "target": null
            },
            {
              "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse",
              "target": null
            },
            {
              "id": "Worm:Win32/Mofksys.B",
              "display_name": "Worm:Win32/Mofksys.B",
              "target": "/malware/Worm:Win32/Mofksys.B"
            },
            {
              "id": "Worm:Win32/Mofksys.RND!MTB",
              "display_name": "Worm:Win32/Mofksys.RND!MTB",
              "target": "/malware/Worm:Win32/Mofksys.RND!MTB"
            },
            {
              "id": "Worm:LOGO/Logic",
              "display_name": "Worm:LOGO/Logic",
              "target": "/malware/Worm:LOGO/Logic"
            },
            {
              "id": "ETPro Trojan",
              "display_name": "ETPro Trojan",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "TrojanSpy:Win32/Swisyn",
              "display_name": "TrojanSpy:Win32/Swisyn",
              "target": "/malware/TrojanSpy:Win32/Swisyn"
            },
            {
              "id": "Dark Power",
              "display_name": "Dark Power",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Artro",
              "display_name": "Artro",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            }
          ],
          "industries": [
            "Telecommunications"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 560,
            "FileHash-SHA1": 350,
            "FileHash-SHA256": 4371,
            "URL": 8165,
            "domain": 2548,
            "hostname": 2813,
            "CVE": 4,
            "email": 3
          },
          "indicator_count": 18814,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "849 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659261d5965b4824d1606cf9",
          "name": "Pegasus - a-poster.info",
          "description": "",
          "modified": "2024-01-31T04:00:35.757000",
          "created": "2024-01-01T06:55:17.262000",
          "tags": [
            "no expiration",
            "domain",
            "hostname",
            "ipv4",
            "expiration",
            "iocs",
            "ipv6",
            "url http",
            "url https",
            "next",
            "filehashmd5",
            "filehashsha1",
            "filehashsha256",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "cidr",
            "pcap",
            "stix",
            "subid",
            "mtsub26293293",
            "dashboard",
            "browse scan",
            "endpoints all",
            "octoseek",
            "a poster",
            "apple",
            "apple id",
            "apple engineering",
            "icloud",
            "tulach",
            "hallrender",
            "ck matrix",
            "ck id",
            "xobo",
            "a nxdomain",
            "sabey",
            "aaaa",
            "win32",
            "briansabey",
            "brian",
            "brian sabey",
            "urls https",
            "unknown urls",
            "united",
            "ttl value",
            "tsara brashears",
            "trojan",
            "tracker",
            "tofsee",
            "threat analyzer",
            "threat",
            "temp",
            "teams api",
            "subdomains",
            "active",
            "active threat",
            "strings",
            "status codes",
            "japan national police agency",
            "pegasus",
            "china",
            "aig",
            "ssl certificate",
            "accept",
            "ssh on server",
            "speakez securus",
            "show technique",
            "https",
            "relay",
            "state",
            "android",
            "address",
            "aposter",
            "workaposter",
            "sha256",
            "showing",
            "simple",
            "span",
            "small",
            "serving ip",
            "script",
            "search",
            "root",
            "ca",
            "samples",
            "root ca",
            "resolutions",
            "remote",
            "relay",
            "relacion",
            "referrer",
            "record value",
            "applenoc",
            "as16625",
            "attack",
            "apple attack",
            "bundled",
            "canvas",
            "mitre attk",
            "brute force passwords",
            "body length",
            "body",
            "backdoor",
            "bellsouth",
            "bahamut",
            "bell south",
            "mitre",
            "cellbrite",
            "class",
            "click",
            "authority",
            "contentencoding",
            "akamai",
            "as20940",
            "as24940 hetzner",
            "as58061 scalaxy",
            "scalaxy",
            "as714",
            "critical",
            "communicating",
            "quasar",
            "trojan",
            "et",
            "icefog",
            "pegasus",
            "tofsee",
            "cmd",
            "crypto",
            "error",
            "dns replication",
            "domain entries",
            "et cins",
            "execution",
            "cname",
            "config",
            "contact",
            "contacted",
            "copy",
            "creation date",
            "formbook",
            "jekyll",
            "graph",
            "germany unknown",
            "generator",
            "general",
            "forbidden",
            "falcon sandbox",
            "ssl hostname",
            "false",
            "file",
            "final url",
            "final url summary",
            "hashes files",
            "headers nel",
            "historical",
            "malicious host",
            "malvertizing",
            "malware",
            "tagging",
            "contextualizing",
            "localappdata",
            "install",
            "installer",
            "ioc search",
            "iocs kb",
            "body",
            "local",
            "United states",
            "name",
            "name servers",
            "mitre att",
            "metro",
            "meta",
            "mail spammer",
            "submit",
            "submit quasar",
            "phishing",
            "pattern match",
            "paste",
            "passive dns",
            "nxdomain",
            "national police agency japan",
            "network",
            "verdict",
            "cmd",
            "sandbox",
            "http response",
            "record type",
            "phishing",
            "nuance",
            "next",
            "new ioc",
            "subdomains",
            "germany",
            "reinsurance",
            "nuance",
            "cybercrime",
            "tracking",
            "cyber stalking",
            "fear",
            "masquerading",
            "cobalt strike"
          ],
          "references": [
            "a-poster.info",
            "https://tulach.cc/",
            "images.ctfassets.net",
            "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]",
            "nr-data.net [Apple Private Data Collection]",
            "http://gmpg.org/xfn/11 [HTTrack]",
            "192.229.211.108 [Tracking & Virus Network]",
            "me.com [Pegasus]",
            "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
            "37.1.217.172 [scanning host]",
            "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "IceFog",
              "display_name": "IceFog",
              "target": null
            },
            {
              "id": "Pegasus - MOB-S0005",
              "display_name": "Pegasus - MOB-S0005",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Trojan",
              "display_name": "Trojan",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Appleservice",
              "display_name": "Appleservice",
              "target": null
            },
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1156",
              "name": "Malicious Shell Modification",
              "display_name": "T1156 - Malicious Shell Modification"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            }
          ],
          "industries": [
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 41,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4719,
            "domain": 2497,
            "hostname": 3549,
            "FileHash-MD5": 4118,
            "FileHash-SHA1": 3496,
            "FileHash-SHA256": 5861,
            "CIDR": 12,
            "email": 17
          },
          "indicator_count": 24269,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "851 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "659261e2290ac1ecc5d9ca74",
          "name": "Pegasus - a-poster.info",
          "description": "",
          "modified": "2024-01-31T04:00:35.757000",
          "created": "2024-01-01T06:55:30.771000",
          "tags": [
            "no expiration",
            "domain",
            "hostname",
            "ipv4",
            "expiration",
            "iocs",
            "ipv6",
            "url http",
            "url https",
            "next",
            "filehashmd5",
            "filehashsha1",
            "filehashsha256",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "cidr",
            "pcap",
            "stix",
            "subid",
            "mtsub26293293",
            "dashboard",
            "browse scan",
            "endpoints all",
            "octoseek",
            "a poster",
            "apple",
            "apple id",
            "apple engineering",
            "icloud",
            "tulach",
            "hallrender",
            "ck matrix",
            "ck id",
            "xobo",
            "a nxdomain",
            "sabey",
            "aaaa",
            "win32",
            "briansabey",
            "brian",
            "brian sabey",
            "urls https",
            "unknown urls",
            "united",
            "ttl value",
            "tsara brashears",
            "trojan",
            "tracker",
            "tofsee",
            "threat analyzer",
            "threat",
            "temp",
            "teams api",
            "subdomains",
            "active",
            "active threat",
            "strings",
            "status codes",
            "japan national police agency",
            "pegasus",
            "china",
            "aig",
            "ssl certificate",
            "accept",
            "ssh on server",
            "speakez securus",
            "show technique",
            "https",
            "relay",
            "state",
            "android",
            "address",
            "aposter",
            "workaposter",
            "sha256",
            "showing",
            "simple",
            "span",
            "small",
            "serving ip",
            "script",
            "search",
            "root",
            "ca",
            "samples",
            "root ca",
            "resolutions",
            "remote",
            "relay",
            "relacion",
            "referrer",
            "record value",
            "applenoc",
            "as16625",
            "attack",
            "apple attack",
            "bundled",
            "canvas",
            "mitre attk",
            "brute force passwords",
            "body length",
            "body",
            "backdoor",
            "bellsouth",
            "bahamut",
            "bell south",
            "mitre",
            "cellbrite",
            "class",
            "click",
            "authority",
            "contentencoding",
            "akamai",
            "as20940",
            "as24940 hetzner",
            "as58061 scalaxy",
            "scalaxy",
            "as714",
            "critical",
            "communicating",
            "quasar",
            "trojan",
            "et",
            "icefog",
            "pegasus",
            "tofsee",
            "cmd",
            "crypto",
            "error",
            "dns replication",
            "domain entries",
            "et cins",
            "execution",
            "cname",
            "config",
            "contact",
            "contacted",
            "copy",
            "creation date",
            "formbook",
            "jekyll",
            "graph",
            "germany unknown",
            "generator",
            "general",
            "forbidden",
            "falcon sandbox",
            "ssl hostname",
            "false",
            "file",
            "final url",
            "final url summary",
            "hashes files",
            "headers nel",
            "historical",
            "malicious host",
            "malvertizing",
            "malware",
            "tagging",
            "contextualizing",
            "localappdata",
            "install",
            "installer",
            "ioc search",
            "iocs kb",
            "body",
            "local",
            "United states",
            "name",
            "name servers",
            "mitre att",
            "metro",
            "meta",
            "mail spammer",
            "submit",
            "submit quasar",
            "phishing",
            "pattern match",
            "paste",
            "passive dns",
            "nxdomain",
            "national police agency japan",
            "network",
            "verdict",
            "cmd",
            "sandbox",
            "http response",
            "record type",
            "phishing",
            "nuance",
            "next",
            "new ioc",
            "subdomains",
            "germany",
            "reinsurance",
            "nuance",
            "cybercrime",
            "tracking",
            "cyber stalking",
            "fear",
            "masquerading",
            "cobalt strike"
          ],
          "references": [
            "a-poster.info",
            "https://tulach.cc/",
            "images.ctfassets.net",
            "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]",
            "nr-data.net [Apple Private Data Collection]",
            "http://gmpg.org/xfn/11 [HTTrack]",
            "192.229.211.108 [Tracking & Virus Network]",
            "me.com [Pegasus]",
            "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
            "37.1.217.172 [scanning host]",
            "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "IceFog",
              "display_name": "IceFog",
              "target": null
            },
            {
              "id": "Pegasus - MOB-S0005",
              "display_name": "Pegasus - MOB-S0005",
              "target": null
            },
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Tulach",
              "display_name": "Tulach",
              "target": null
            },
            {
              "id": "Trojan",
              "display_name": "Trojan",
              "target": null
            },
            {
              "id": "Sabey",
              "display_name": "Sabey",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Appleservice",
              "display_name": "Appleservice",
              "target": null
            },
            {
              "id": "FormBook",
              "display_name": "FormBook",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1156",
              "name": "Malicious Shell Modification",
              "display_name": "T1156 - Malicious Shell Modification"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            }
          ],
          "industries": [
            "Healthcare"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 33,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 4695,
            "domain": 2494,
            "hostname": 3547,
            "FileHash-MD5": 4118,
            "FileHash-SHA1": 3496,
            "FileHash-SHA256": 5841,
            "CIDR": 12,
            "email": 17
          },
          "indicator_count": 24220,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "851 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6590f9011e57040b2717c99c",
          "name": "https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa",
          "description": "",
          "modified": "2023-12-31T05:15:45.262000",
          "created": "2023-12-31T05:15:45.262000",
          "tags": [
            "ssl certificate",
            "threat roundup",
            "contacted",
            "execution",
            "august",
            "march",
            "whois record",
            "contacted urls",
            "malware",
            "copy",
            "april",
            "crypto",
            "alive",
            "malicious",
            "ducktail",
            "ransomware",
            "dead",
            "skynet",
            "chinese",
            "october",
            "roundup",
            "february",
            "goldfinder",
            "sibot",
            "hacktool",
            "metro",
            "goldmax",
            "installer",
            "awful",
            "open",
            "android",
            "banker",
            "keylogger",
            "united",
            "maltiverse",
            "mail spammer",
            "phishing site",
            "cyber threat",
            "engineering",
            "emotet",
            "phishing",
            "spammer",
            "firehol",
            "bank",
            "azorult",
            "team",
            "mirai",
            "pony",
            "nanocore",
            "bradesco",
            "cobalt strike",
            "installcore",
            "nymaim",
            "suppobox",
            "download",
            "looquer",
            "domains",
            "cisco umbrella",
            "site",
            "heur",
            "alexa top",
            "million",
            "safe site",
            "adware",
            "malware site",
            "malicious site",
            "artemis",
            "opencandy",
            "riskware",
            "tofsee",
            "gandcrab",
            "trojanx",
            "trojan",
            "generic",
            "bankerx",
            "service",
            "runescape",
            "facebook",
            "exploit",
            "agent",
            "mimikatz",
            "unsafe",
            "alexa",
            "union",
            "webtoolbar",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist https",
            "dsp1",
            "noname057",
            "tag count",
            "sample",
            "samples",
            "blacklist",
            "tsara brashears",
            "alohatube",
            "trojan",
            "scanning_host",
            "Botnet",
            "malvertizing",
            "abuse",
            "cyber stalking",
            "defacement",
            "adult content",
            "threats",
            "silencing",
            "harassment",
            "target",
            "aig",
            "workers compensation",
            "severe",
            "attack",
            "hacking",
            "yixun tool",
            "spyware",
            "malware",
            "evasion",
            "malicious",
            "private investigator",
            "legal entities",
            "insurance company",
            "remote attack",
            "colorado",
            "tulach",
            "Attack origin: United States",
            "apple",
            "ios",
            "victim",
            "allegations",
            "assault",
            "revenge",
            "retaliation",
            "libel",
            "monitoring",
            "tracking",
            "pegatech",
            "bam.nr-data.net",
            "bam",
            "nr-data.net",
            "matrix",
            "data.net",
            "asp.net",
            "apple private data collection",
            "norad.mil",
            "norad tracker",
            "b.scope",
            "command_and_control",
            "pornhub",
            "alohatube",
            "sweetheart videos",
            "users voice",
            "interfacing",
            "social engineering",
            "BankerX",
            "law enforcement aware, complacent or complicit?",
            "NSA tool Tulach malaware",
            "metro tmobile",
            "AS 10975 (NET-AIG) US",
            "record type",
            "ttl value",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus ou",
            "entrust",
            "oentrust",
            "l1k validity",
            "cus stnew",
            "group",
            "info",
            "domain status",
            "server",
            "date",
            "registrar abuse",
            "new york",
            "postal code",
            "contact phone",
            "registrar url",
            "csc corporate",
            "code",
            "microsoft",
            "win32 exe",
            "files",
            "detections type",
            "name",
            "confed",
            "network",
            "label netaig",
            "registry arin",
            "country us",
            "continent na",
            "whois lookup",
            "no match",
            "google",
            "dns replication",
            "domain",
            "type name",
            "pine street",
            "whois database",
            "email",
            "registrar iana",
            "icann whois",
            "contact",
            "form",
            "tech",
            "iana id",
            "tech email",
            "admin country",
            "CVE-2017-0147",
            "CVE-2018-0802",
            "CVE-2017-17215",
            "CVE-2016-7255",
            "CVE-2017-11882",
            "CVE-2017-8570"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Singapore"
          ],
          "malware_families": [
            {
              "id": "Chinese",
              "display_name": "Chinese",
              "target": null
            },
            {
              "id": "Looquer",
              "display_name": "Looquer",
              "target": null
            },
            {
              "id": "Inmortal",
              "display_name": "Inmortal",
              "target": null
            },
            {
              "id": "Domains",
              "display_name": "Domains",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Mimikatz",
              "display_name": "Mimikatz",
              "target": null
            },
            {
              "id": "HiddenTear",
              "display_name": "HiddenTear",
              "target": null
            },
            {
              "id": "Neurovt",
              "display_name": "Neurovt",
              "target": null
            },
            {
              "id": "Ransomexx",
              "display_name": "Ransomexx",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "TrojanX",
              "display_name": "TrojanX",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Nymaim",
              "display_name": "Nymaim",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Sibot",
              "display_name": "Sibot",
              "target": null
            },
            {
              "id": "AZORult",
              "display_name": "AZORult",
              "target": null
            },
            {
              "id": "Trojan:Win32/InstallCore",
              "display_name": "Trojan:Win32/InstallCore",
              "target": "/malware/Trojan:Win32/InstallCore"
            },
            {
              "id": "Yixun",
              "display_name": "Yixun",
              "target": null
            },
            {
              "id": "GoldFinder",
              "display_name": "GoldFinder",
              "target": null
            },
            {
              "id": "GoldMax - S0588",
              "display_name": "GoldMax - S0588",
              "target": null
            },
            {
              "id": "DUCKTAIL",
              "display_name": "DUCKTAIL",
              "target": null
            },
            {
              "id": "Artemis",
              "display_name": "Artemis",
              "target": null
            },
            {
              "id": "GandCrab",
              "display_name": "GandCrab",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "Raccoon Stealer",
              "display_name": "Raccoon Stealer",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "OpenCandy",
              "display_name": "OpenCandy",
              "target": null
            },
            {
              "id": "FireHOL",
              "display_name": "FireHOL",
              "target": null
            },
            {
              "id": "HackTool.BruteForce",
              "display_name": "HackTool.BruteForce",
              "target": null
            },
            {
              "id": "HackTool.CheatEngine",
              "display_name": "HackTool.CheatEngine",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "NanoCore",
              "display_name": "NanoCore",
              "target": null
            },
            {
              "id": "Immortal Stealer",
              "display_name": "Immortal Stealer",
              "target": null
            },
            {
              "id": "WebToolBar",
              "display_name": "WebToolBar",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1071.002",
              "name": "File Transfer Protocols",
              "display_name": "T1071.002 - File Transfer Protocols"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1001.003",
              "name": "Protocol Impersonation",
              "display_name": "T1001.003 - Protocol Impersonation"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1497.002",
              "name": "User Activity Based Checks",
              "display_name": "T1497.002 - User Activity Based Checks"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1491",
              "name": "Defacement",
              "display_name": "T1491 - Defacement"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0001",
              "name": "Initial Access",
              "display_name": "TA0001 - Initial Access"
            },
            {
              "id": "T1523",
              "name": "Evade Analysis Environment",
              "display_name": "T1523 - Evade Analysis Environment"
            },
            {
              "id": "T1445",
              "name": "Abuse of iOS Enterprise App Signing Key",
              "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key"
            },
            {
              "id": "T1453",
              "name": "Abuse Accessibility Features",
              "display_name": "T1453 - Abuse Accessibility Features"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1035",
              "name": "Service Execution",
              "display_name": "T1035 - Service Execution"
            },
            {
              "id": "T1563",
              "name": "Remote Service Session Hijacking",
              "display_name": "T1563 - Remote Service Session Hijacking"
            },
            {
              "id": "T1415",
              "name": "URL Scheme Hijacking",
              "display_name": "T1415 - URL Scheme Hijacking"
            },
            {
              "id": "T1184",
              "name": "SSH Hijacking",
              "display_name": "T1184 - SSH Hijacking"
            },
            {
              "id": "T1134.001",
              "name": "Token Impersonation/Theft",
              "display_name": "T1134.001 - Token Impersonation/Theft"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1584.005",
              "name": "Botnet",
              "display_name": "T1584.005 - Botnet"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6590f8f3b192d56e80294c13",
          "export_count": 33,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 5239,
            "FileHash-MD5": 929,
            "FileHash-SHA1": 500,
            "FileHash-SHA256": 3566,
            "domain": 1230,
            "hostname": 2051,
            "CVE": 6,
            "email": 5,
            "CIDR": 1
          },
          "indicator_count": 13527,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 220,
          "modified_text": "882 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6590f8f3b192d56e80294c13",
          "name": "Aig.com Pegasus attack+ https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa",
          "description": "",
          "modified": "2023-12-31T05:15:31.645000",
          "created": "2023-12-31T05:15:31.645000",
          "tags": [
            "ssl certificate",
            "threat roundup",
            "contacted",
            "execution",
            "august",
            "march",
            "whois record",
            "contacted urls",
            "malware",
            "copy",
            "april",
            "crypto",
            "alive",
            "malicious",
            "ducktail",
            "ransomware",
            "dead",
            "skynet",
            "chinese",
            "october",
            "roundup",
            "february",
            "goldfinder",
            "sibot",
            "hacktool",
            "metro",
            "goldmax",
            "installer",
            "awful",
            "open",
            "android",
            "banker",
            "keylogger",
            "united",
            "maltiverse",
            "mail spammer",
            "phishing site",
            "cyber threat",
            "engineering",
            "emotet",
            "phishing",
            "spammer",
            "firehol",
            "bank",
            "azorult",
            "team",
            "mirai",
            "pony",
            "nanocore",
            "bradesco",
            "cobalt strike",
            "installcore",
            "nymaim",
            "suppobox",
            "download",
            "looquer",
            "domains",
            "cisco umbrella",
            "site",
            "heur",
            "alexa top",
            "million",
            "safe site",
            "adware",
            "malware site",
            "malicious site",
            "artemis",
            "opencandy",
            "riskware",
            "tofsee",
            "gandcrab",
            "trojanx",
            "trojan",
            "generic",
            "bankerx",
            "service",
            "runescape",
            "facebook",
            "exploit",
            "agent",
            "mimikatz",
            "unsafe",
            "alexa",
            "union",
            "webtoolbar",
            "ip summary",
            "url summary",
            "summary",
            "urls",
            "detection list",
            "blacklist https",
            "dsp1",
            "noname057",
            "tag count",
            "sample",
            "samples",
            "blacklist",
            "tsara brashears",
            "alohatube",
            "trojan",
            "scanning_host",
            "Botnet",
            "malvertizing",
            "abuse",
            "cyber stalking",
            "defacement",
            "adult content",
            "threats",
            "silencing",
            "harassment",
            "target",
            "aig",
            "workers compensation",
            "severe",
            "attack",
            "hacking",
            "yixun tool",
            "spyware",
            "malware",
            "evasion",
            "malicious",
            "private investigator",
            "legal entities",
            "insurance company",
            "remote attack",
            "colorado",
            "tulach",
            "Attack origin: United States",
            "apple",
            "ios",
            "victim",
            "allegations",
            "assault",
            "revenge",
            "retaliation",
            "libel",
            "monitoring",
            "tracking",
            "pegatech",
            "bam.nr-data.net",
            "bam",
            "nr-data.net",
            "matrix",
            "data.net",
            "asp.net",
            "apple private data collection",
            "norad.mil",
            "norad tracker",
            "b.scope",
            "command_and_control",
            "pornhub",
            "alohatube",
            "sweetheart videos",
            "users voice",
            "interfacing",
            "social engineering",
            "BankerX",
            "law enforcement aware, complacent or complicit?",
            "NSA tool Tulach malaware",
            "metro tmobile",
            "AS 10975 (NET-AIG) US",
            "record type",
            "ttl value",
            "algorithm",
            "data",
            "v3 serial",
            "number",
            "cus ou",
            "entrust",
            "oentrust",
            "l1k validity",
            "cus stnew",
            "group",
            "info",
            "domain status",
            "server",
            "date",
            "registrar abuse",
            "new york",
            "postal code",
            "contact phone",
            "registrar url",
            "csc corporate",
            "code",
            "microsoft",
            "win32 exe",
            "files",
            "detections type",
            "name",
            "confed",
            "network",
            "label netaig",
            "registry arin",
            "country us",
            "continent na",
            "whois lookup",
            "no match",
            "google",
            "dns replication",
            "domain",
            "type name",
            "pine street",
            "whois database",
            "email",
            "registrar iana",
            "icann whois",
            "contact",
            "form",
            "tech",
            "iana id",
            "tech email",
            "admin country",
            "CVE-2017-0147",
            "CVE-2018-0802",
            "CVE-2017-17215",
            "CVE-2016-7255",
            "CVE-2017-11882",
            "CVE-2017-8570"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Singapore"
          ],
          "malware_families": [
            {
              "id": "Chinese",
              "display_name": "Chinese",
              "target": null
            },
            {
              "id": "Looquer",
              "display_name": "Looquer",
              "target": null
            },
            {
              "id": "Inmortal",
              "display_name": "Inmortal",
              "target": null
            },
            {
              "id": "Domains",
              "display_name": "Domains",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "Mimikatz",
              "display_name": "Mimikatz",
              "target": null
            },
            {
              "id": "HiddenTear",
              "display_name": "HiddenTear",
              "target": null
            },
            {
              "id": "Neurovt",
              "display_name": "Neurovt",
              "target": null
            },
            {
              "id": "Ransomexx",
              "display_name": "Ransomexx",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "TrojanX",
              "display_name": "TrojanX",
              "target": null
            },
            {
              "id": "Emotet",
              "display_name": "Emotet",
              "target": null
            },
            {
              "id": "Nymaim",
              "display_name": "Nymaim",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Sibot",
              "display_name": "Sibot",
              "target": null
            },
            {
              "id": "AZORult",
              "display_name": "AZORult",
              "target": null
            },
            {
              "id": "Trojan:Win32/InstallCore",
              "display_name": "Trojan:Win32/InstallCore",
              "target": "/malware/Trojan:Win32/InstallCore"
            },
            {
              "id": "Yixun",
              "display_name": "Yixun",
              "target": null
            },
            {
              "id": "GoldFinder",
              "display_name": "GoldFinder",
              "target": null
            },
            {
              "id": "GoldMax - S0588",
              "display_name": "GoldMax - S0588",
              "target": null
            },
            {
              "id": "DUCKTAIL",
              "display_name": "DUCKTAIL",
              "target": null
            },
            {
              "id": "Artemis",
              "display_name": "Artemis",
              "target": null
            },
            {
              "id": "GandCrab",
              "display_name": "GandCrab",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "BlackNET",
              "display_name": "BlackNET",
              "target": null
            },
            {
              "id": "Raccoon Stealer",
              "display_name": "Raccoon Stealer",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "OpenCandy",
              "display_name": "OpenCandy",
              "target": null
            },
            {
              "id": "FireHOL",
              "display_name": "FireHOL",
              "target": null
            },
            {
              "id": "HackTool.BruteForce",
              "display_name": "HackTool.BruteForce",
              "target": null
            },
            {
              "id": "HackTool.CheatEngine",
              "display_name": "HackTool.CheatEngine",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "NanoCore",
              "display_name": "NanoCore",
              "target": null
            },
            {
              "id": "Immortal Stealer",
              "display_name": "Immortal Stealer",
              "target": null
            },
            {
              "id": "WebToolBar",
              "display_name": "WebToolBar",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1071.002",
              "name": "File Transfer Protocols",
              "display_name": "T1071.002 - File Transfer Protocols"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1001.003",
              "name": "Protocol Impersonation",
              "display_name": "T1001.003 - Protocol Impersonation"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1497.002",
              "name": "User Activity Based Checks",
              "display_name": "T1497.002 - User Activity Based Checks"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1491",
              "name": "Defacement",
              "display_name": "T1491 - Defacement"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0001",
              "name": "Initial Access",
              "display_name": "TA0001 - Initial Access"
            },
            {
              "id": "T1523",
              "name": "Evade Analysis Environment",
              "display_name": "T1523 - Evade Analysis Environment"
            },
            {
              "id": "T1445",
              "name": "Abuse of iOS Enterprise App Signing Key",
              "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key"
            },
            {
              "id": "T1453",
              "name": "Abuse Accessibility Features",
              "display_name": "T1453 - Abuse Accessibility Features"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1035",
              "name": "Service Execution",
              "display_name": "T1035 - Service Execution"
            },
            {
              "id": "T1563",
              "name": "Remote Service Session Hijacking",
              "display_name": "T1563 - Remote Service Session Hijacking"
            },
            {
              "id": "T1415",
              "name": "URL Scheme Hijacking",
              "display_name": "T1415 - URL Scheme Hijacking"
            },
            {
              "id": "T1184",
              "name": "SSH Hijacking",
              "display_name": "T1184 - SSH Hijacking"
            },
            {
              "id": "T1134.001",
              "name": "Token Impersonation/Theft",
              "display_name": "T1134.001 - Token Impersonation/Theft"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1584.005",
              "name": "Botnet",
              "display_name": "T1584.005 - Botnet"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "653f21878bcd05f7d594ff86",
          "export_count": 33,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 5239,
            "FileHash-MD5": 929,
            "FileHash-SHA1": 500,
            "FileHash-SHA256": 3566,
            "domain": 1230,
            "hostname": 2051,
            "CVE": 6,
            "email": 5,
            "CIDR": 1
          },
          "indicator_count": 13527,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 221,
          "modified_text": "882 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6553b88c316cfb531b9c4c10",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go.com",
          "description": "spyware, 114.114.114.114, Tulach, C2, apple iOS, passwords, crack, unlock , click, att, hughesnet",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-14T18:12:28.459000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 28,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 222,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568ab12429c394dc4b91ea",
          "name": "iOS Unlocker| Apple | ATT | Monitoring| http://mobile.suddenlink2go",
          "description": "",
          "modified": "2023-12-14T15:03:30.417000",
          "created": "2023-11-16T21:33:37.838000",
          "tags": [
            "united",
            "blacklist",
            "malicious site",
            "mail spammer",
            "detection list",
            "cisco umbrella",
            "site",
            "safe site",
            "malware",
            "phishing site",
            "heur",
            "malware site",
            "alexa top",
            "million",
            "unsafe",
            "artemis",
            "riskware",
            "conduit",
            "agent",
            "opencandy",
            "xtrat",
            "iframe",
            "cleaner",
            "team",
            "installpack",
            "xrat",
            "tiggre",
            "presenoker",
            "fusioncore",
            "wacatac",
            "azorult",
            "phishing",
            "service",
            "runescape",
            "facebook",
            "bank",
            "download",
            "crack",
            "softcnapp",
            "trojanspy",
            "maltiverse",
            "falcon sandbox",
            "pattern match",
            "root ca",
            "authority",
            "class",
            "script",
            "ascii text",
            "mitre att",
            "localappdata",
            "temp",
            "ck id",
            "date",
            "unknown",
            "generator",
            "critical",
            "error",
            "meta",
            "hybrid",
            "general",
            "local",
            "click",
            "strings",
            "expiressun",
            "http response",
            "final url",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "pt3uc1",
            "path",
            "movies",
            "watch",
            "html info",
            "meta tags",
            "suddenlink tv",
            "trackers amazon",
            "pt3rc1",
            "whois record",
            "whois whois",
            "ssl certificate",
            "historical",
            "historical ssl",
            "referrer",
            "communicating",
            "dropped",
            "contacted",
            "apple ios",
            "hacktool",
            "metro",
            "malicious",
            "crypto",
            "installer",
            "attack",
            "awful",
            "brian sabey",
            "aig",
            "civicaIg",
            "tracking",
            "password crack",
            "tulach",
            "target tsara brashears",
            "tylerknott",
            "att",
            "monitoring",
            "spyware",
            "spying",
            "cybercrime",
            "tulach",
            "hughesnet",
            "ios",
            "toshiba",
            "attack",
            "malvertizing",
            "cyber stalking",
            "porn",
            "pornhub"
          ],
          "references": [
            "http://mobile.suddenlink2go.com/",
            "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
            "https://applemusic-spotlight.myunidays.com/US/en-US?",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "myhughesnet.com",
            "dishmail.net",
            "home.toshiba.com",
            "ytq2rs56.haogfw.com",
            "pornhub.com",
            "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
            "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
            "monitor.cablelan.net",
            "https://monitor.rodgersmith.com",
            "https://www.everycloudtech.com/free-mail-flow-monitor"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6553b88c316cfb531b9c4c10",
          "export_count": 22,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 144,
            "FileHash-SHA1": 179,
            "FileHash-SHA256": 4528,
            "CVE": 7,
            "domain": 2024,
            "hostname": 3556,
            "URL": 10455
          },
          "indicator_count": 20893,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bc6301b7cdf7d04e095",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:44:54.422000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568d67bd96e06ab44b9b95",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-16T21:45:11.721000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65536bdc3676a40633a619be",
          "export_count": 25,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bdc3676a40633a619be",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:45:16.667000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 35,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570a756ee3c8ce2314e235a",
          "name": "Home Networks",
          "description": "",
          "modified": "2023-12-06T16:54:46.263000",
          "created": "2023-12-06T16:54:46.263000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 290,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2298,
            "FileHash-SHA256": 24535,
            "FileHash-MD5": 7197,
            "URL": 1188,
            "hostname": 2636,
            "JA3": 2,
            "email": 96,
            "CVE": 44,
            "FileHash-SHA1": 7174
          },
          "indicator_count": 45170,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 114,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709f0bbdd32cb4b343a12f",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:19:23.067000",
          "created": "2023-12-06T16:19:23.067000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 13,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2218,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1175,
            "hostname": 2514,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 35
          },
          "indicator_count": 44904,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 111,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709eee2f74978bd15d60a9",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:18:53.346000",
          "created": "2023-12-06T16:18:53.346000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2219,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1175,
            "hostname": 2513,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 35
          },
          "indicator_count": 44904,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709ed8415c89746a234d89",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:18:32.627000",
          "created": "2023-12-06T16:18:32.627000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2218,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1175,
            "hostname": 2513,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 35
          },
          "indicator_count": 44903,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709ebd65cdc059b8e373ef",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:18:05.044000",
          "created": "2023-12-06T16:18:05.044000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2218,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1175,
            "hostname": 2519,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 36
          },
          "indicator_count": 44910,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709ea58a4b251d0f7aac7b",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:17:41.816000",
          "created": "2023-12-06T16:17:41.816000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2221,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1176,
            "hostname": 2513,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 37
          },
          "indicator_count": 44909,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709e8b31eda9b13196277a",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:17:15.458000",
          "created": "2023-12-06T16:17:15.458000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2222,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1176,
            "hostname": 2513,
            "JA3": 2,
            "email": 83,
            "FileHash-SHA1": 7164,
            "CVE": 38
          },
          "indicator_count": 44911,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709e736e1768898768814f",
          "name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
          "description": "",
          "modified": "2023-12-06T16:16:51.265000",
          "created": "2023-12-06T16:16:51.265000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2221,
            "FileHash-SHA256": 24526,
            "FileHash-MD5": 7187,
            "URL": 1179,
            "hostname": 2521,
            "JA3": 2,
            "email": 84,
            "FileHash-SHA1": 7164,
            "CVE": 40
          },
          "indicator_count": 44924,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "907 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "mail.secure2.store.apple.com [vprsecure.com \u2022 Worm:Win32/Mydoom]",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "Backdoor.Win32.Pushdo.s Checkin",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "ytq2rs56.haogfw.com",
        "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
        "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "adsl-074-168-130-217.sip.pns.bellsouth.net",
        "Yara Detections: Nrv2x ,  upx_3 ,  UPX_OEP_place ,  UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser , UPX",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "pornhero.net| itsyourporn.com | http://cdn.itsyourporn.com | http://cdn.itsyourporn.com/assets/images/logo.jpg.  http://cdn2.video.itsyourporn.com | https://cdn.itsyourporn.com | https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com",
        "AS27064 DOD Network Information Center? |  192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "c-67-181-73-197.hsd1.ca.comcast.net",
        "Found in: https://side3.com/ \u2022 https://side3.com/wp-json/ \u2022 https://side3.com/wp-json/wp/v2/pages/9 \u2022 https://side3.com/xmlrpc.php \u2022 side3.com \u2022 https://side3.com/wp-content/uploads/2015/07/favicon.ico.gif \u2022 https://www.facebook.com/side3studios",
        "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI",
        "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "fmx32.aig.com \u2022  167.230.105.81",
        "Adversary: https://github.com/SamuelTulach/VirusTotalUploader",
        "me.com [Pegasus]",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Emotet: FileHash-MD5 9e78accf19de70b1e614c9bd9d9a7928",
        "http://mobile.suddenlink2go.com/",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "Nameservers: squid.navo. ,  squid.navo.mil. ,  dns2.disa.mil. ,  minnow.navo. ,  navy.mil. ,  dns3.disa.mil.",
        "https://monitor.rodgersmith.com",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "Alerts: console_output antivm_memory_available pe_features",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "192.229.211.108 [Tracking & Virus Network]",
        "https://www.everycloudtech.com/free-mail-flow-monitor",
        "T1110.001 (Brute Force: Password Guessing)",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "http://feeds.soundcloud.com/users/soundcloud:users:73198681/sounds.rss",
        "IP\u2019s Contacted:  8.8.8.8  78.46.218.253  74.208.229.157  192.5.41.40",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "CnC IP's: 20.103.85.33 \u2022 213.91.128.13 \u2022 74.6.143.25 \u2022 74.6.143.26 \u2022 74.6.231.20 \u2022 74.6.231.21",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE",
        "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
        "https://www.virustotal.com/gui/domain/paypal-secure-id-login-webobjects-support-home.e-pornosex.com/community",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "Antivirus Detections Other:Malware-gen\\ [Trj] ,  ALF:TrojanDownloader:PowerShell/Ploprolo.DB  Alerts network_icmp nolookup_communication injection_resumethread suspicious_powershell",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "IDS Detections: Possible HTA Application Download Dotted Quad Host HTA Request HTTP request for .exe file with no User-Agent",
        "AVDetections:  Patched3_c.AKRV",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Emotet: FileHash-SHA256 0071c6eea86a219777df283cc476ca450df4b04f4c7ed0eb48fbdf3a9cf7888f",
        "ASN AS27064 dod network information center",
        "https://work.a-poster.info",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
        "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "monitor.cablelan.net",
        "myhughesnet.com",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt",
        "Yara Detections: MS_Visual_Basic_6_0",
        "http://iv-u15.com/category/uncensored-leaked [ BitDefender: Porn \u2022 Xcitium: Verdict Cloud illegal software \u2022 Forcepoint: ThreatSeeker adult content]",
        "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "https://www.cibc.ca/en/personal-banking/bank-accounts/savings-accounts/bonus-savings.htm",
        "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
        "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
        "Alerts:  injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "http://gmpg.org/xfn/11 [HTTrack]",
        "https://hybrid-analysis.com/sample/889790f55a8a29ee75463bbcf014c3ed6cc76e6cd0278e491ec9fa1ed14862c4/655374e9921d5d73860b7db3",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IDS Detections: IDS Detections SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)",
        "http://trk.reverseparameter.site/gg/izuyv?to=https://mine-top-gratis-application.pw/e29481e9-a792-46a8-bbf0-188ed2a816ae/f10439e6-e61a-4420-ba88-29e9d1c5d2ea?brand=Lenovo&btd=dHJrLm1vYmlsZXRvcDIwMTh0ZWNoaWUueHl6&exptoken=MTU1NzUxMjgzMjgyMw==&lang=ar&model=K6+Note&td=dHJrLnJldmVyc2VwYXJhbWV0ZXIuc2l0ZS9wcmNlZWQ",
        "Contacted Domains:  tick.usno.navy.mil www.thinkman.com",
        "navy.mil \u2022 http://acts.navair.navy.mil \u2022  http://logistics.navair.navy.mil/rcm/",
        "contact_pki@apple.com [CAA mail contact] [17.253.142.4 Apple CAA IP]",
        "http://trk.brother-root-rich-of.xyz/campaign?id=4f1426e9-22f8-4e7a-9c32-1b2d42867559&var1=&extcid=w9A2DTCOAL56FRAK125KMLAI",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
        "37.1.217.172 [scanning host]",
        "AS15169 google llc  | 8.8.8.8\t| dns.google | United States",
        "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA1 b0b2c74463496c0020faf4655e83449f7e8019ec",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "Alerts:  queries_user_name queries_keyboard_layout queries_locale_api",
        "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
        "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
        "Nameservers: dns5.disa.mil. ,  dns4.disa.mil. ,  squad.navo.mil. ,  crnaone.navy.mil. ,  dns1.disa.mil.",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "dishmail.net",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "444ea032708bb0d940de0ef72b944244 | credit msudosos",
        "https://otx.alienvault.com/indicator/ip/74.6.231.21",
        "nr-data.net [Apple Private Data Collection]",
        "https://applemusic-spotlight.myunidays.com/US/en-US?",
        "home.toshiba.com",
        "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
        "Win32:RansomX-gen\\ [Ransom]: FileHash-SHA256 00000ae84c4f1f2332ef155130b4b8d65f1ed972a9cd851fe9e85f236f8cfa32",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "Alerts: disables_system_restore infostealer_mail persistence_ifeo recon_fingerprint stealth_hidden_extension stealth_hiddenreg",
        "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
        "a-poster.info",
        "https://www.healthonecares.com/physicians/profile/xxxxxxxxxx-MD | Attacker is tracking & hacking every service target has used.",
        "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
        "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259",
        "Alerts: network_icmp nolookup_communication injection_resumethread suspicious_powershell network_cnc_http",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Emotet:   FileHash-SHA1 2493981a18613a750ac3165199ec030a7c00663f",
        "identity_helper.exe",
        "TrojanDownloader:Win32/Umbald.A\tMalware infection",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "DoD related:  192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
        "bell.ca",
        "mailbox.co.za",
        "pornhub.com",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Tracking. Transactional agreement]",
        "https://tulach.cc/",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "Email: d4@thinkman.com",
        "Antivirus Detections: Win.Malware.Moonlight-9919383-0 ,  Worm:Win32/Lightmoon.H",
        "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
        "http://www.door.net/ARISBE/arisbe.htm",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
        "Alerts: antidebug_windows infostealer_cookies persistence_autorun antivm_generic_bios deletes_executed_files",
        "Yara Detections: Armadillov171",
        "Alerts: stealth_window packer_entropy uses_windows_utilities",
        "http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu",
        "Adversary: https://tulach.cc/ - Maware engineer. It's believed his malware is being used by Brian Sabey of Hall Render",
        "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
        "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
        "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "images.ctfassets.net",
        "https://www.pornhub.com/video/search?search=tsara+brashears [Apple Password Cracker]"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
            "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
            "NSO GROUP"
          ],
          "malware_families": [
            "Paragon (pegasus variant)",
            "Trojandownloader:win32/cutwail",
            "Lolkek",
            "Cerber ransomware",
            "#lowfi:scpt:kiraasciiobfuscator",
            "Tel:trojandownloader:o97m/msiexecabuse",
            "World media",
            "Artro",
            "Possible",
            "Trojandownloader:win32/cutwail.bs",
            "Troj_spnv.01b615",
            "Trojanspy:win32/swisyn",
            "Alf:trojan:win32/cassini_f28c33a2",
            "Trojan:msil/clipbanker.gb!mtb",
            "Trojanx",
            "Worm:win32/mofksys.rnd!mtb",
            "Patched3_c.akrv",
            "Chinese",
            "Hacktool.cheatengine",
            "Worm:logo/logic",
            "Neurovt",
            "Ransomexx",
            "Worm:win32/lightmoon.h",
            "Backdoor:win32/simda",
            "Trojan:win32/emotet.yl",
            "Cl0p",
            "Crypt3.bmvu",
            "Trojan:win32/comspec",
            "Gandcrab",
            "Xloader for ios - s0490",
            "Artemis",
            "#hstr:hacktool:win32/remoteshell",
            "Skynet",
            "Trojan:win32/glupteba",
            "Slf:msil/pstanomaly.a",
            "Icefog",
            "Crypt3.chzw",
            "Crypt3.boqd\t\t inject2.bhbw",
            "#lowfi:hstr:win32/mediadownloader",
            "Nod32",
            "Trojan.downloader12.20457",
            "Alf:backdoor:powershell/reverseshell",
            "Nymaim",
            "Pegasus rdp module for windows",
            "Raccoon stealer",
            "Etpro trojan",
            "Firehol",
            "Mirai (windows)",
            "Androidoverlaymalware - mob-s0012",
            "Goldfinder",
            "Blacknet",
            "Win32:agent-alxe\\ [rtk]",
            "Alf:html/phishing",
            "Appleservice",
            "Immortal stealer",
            "Et trojan",
            "Trojan:js/berbew",
            "Maltiverse",
            "Webtoolbar",
            "Crypt3.blxp",
            "Opencandy",
            "Inject2.bive",
            "Trojan:win32/installcore",
            "Ducktail",
            "Emotet",
            "#lowfi:exploit:java/cve-2012-0507",
            "Starfighter (javascript)",
            "Sabey",
            "Blacknet rat",
            "Hallrender",
            "Inject3.qgy",
            "Cobalt strike",
            "Careto",
            "Malware family: stealthworker / gobrut",
            "Pws:win32/vb.cu",
            "Trojan.downloader.jrjv",
            "'win32:trojan-gen",
            "Backdoor.win32.hlux.csf",
            "Pegasus - mob-s0005",
            "Backdoor:linux/mirai",
            "Trojan:win32/tiggre!rfn",
            "Pegasus",
            "Mimikatz",
            "Nids",
            "Crypt3.bxmj",
            "Yixun",
            "Hacktool",
            "Trojan/win32.ransom",
            "Win.trojan.rootkit-4668",
            "Alf:heraklezeval:worm:win32/mimail!rfn",
            "Trojan",
            "Goldmax - s0588",
            "Amadey",
            "Pegasus for ios - s0289",
            "Azorult",
            "Crypt3.bxvc",
            "Hiddentear",
            "Virus:win32/floxif.h",
            "Win.trojan.pushdo-20",
            "Win.packed.zusy-7170176-0",
            "Mirai",
            "Etpro",
            "Trojandownloader:linux/mirai",
            "Nanocore",
            "Heur/unsec",
            "Pegasus for android - mob-s0032",
            "Ransomware",
            "Hacktool.bruteforce",
            "Win32:malware-gen",
            "Kelihos",
            "Ws.reputation.1",
            "Pegasus for mac",
            "Troj/hkmain-cc",
            "Sibot",
            "Alf:backdoor:java/webshell",
            "#lowfi:siga:trojandownloader:msil/genmaldow",
            "Quasar rat",
            "Backdoor:win32/tofsee.t",
            "Virtool:win32/obfuscator",
            "Tulach",
            "Zeroaccess - s0027",
            "Tulach malware",
            "Dark power",
            "Cve-2022-26134",
            "Trojanspy",
            "Inmortal",
            "Alf:trojandownloader:powershell/ploprolo.db",
            "Html smuggling",
            "#lowfitrojan:html/iframe",
            "Looquer",
            "Roblox",
            "Domains",
            "Win.trojan.zbot-9880005-0",
            "Et",
            "Worm:win32/mofksys.b",
            "Trojandownloader:win32/umbald.a",
            "Sf:shellcode-au\\ [trj]",
            "Trojan.downloader12.43161",
            "Graphite (pegasus variant)",
            "Backdoor:win32/tofsee",
            "Win32:ransomx-gen\\ [ransom]",
            "Formbook",
            "Trojandownloader:win32/cutwail.bv",
            "Win32:trojan-gen",
            "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
            "Tofsee"
          ],
          "industries": [
            "Judicial",
            "Civil",
            "Military",
            "People",
            "Media",
            "Civilians",
            "Insurance",
            "Healthcare",
            "Defense",
            "Civilian society",
            "Legal",
            "Government",
            "Technology",
            "Telecommunications"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 50,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f2dc7e076cbfe2d0f7eb90",
      "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
      "description": "",
      "modified": "2026-05-30T00:28:12.957000",
      "created": "2026-04-30T04:37:18.870000",
      "tags": [
        "united",
        "as397240",
        "search",
        "showing",
        "as54113",
        "as397241",
        "unknown",
        "moved",
        "creation date",
        "record value",
        "next",
        "date",
        "body",
        "a domains",
        "passive dns",
        "formbook cnc",
        "checkin",
        "entries",
        "github pages",
        "sea x",
        "accept",
        "status",
        "name servers",
        "certificate",
        "urls",
        "aaaa",
        "cname",
        "meta",
        "whitelisted ip",
        "address",
        "location united",
        "asn as36459",
        "github",
        "less whois",
        "registrar",
        "markmonitor",
        "related tags",
        "as36459",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse pulses",
        "files",
        "ninite",
        "expiration date",
        "domain",
        "hostname",
        "sha256",
        "sha1",
        "ascii text",
        "pattern match",
        "document file",
        "v2 document",
        "utf8",
        "crlf line",
        "beginstring",
        "size",
        "null",
        "hybrid",
        "refresh",
        "span",
        "local",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "url https",
        "tulach type",
        "role title",
        "added active",
        "pulses url",
        "url http",
        "nextc type",
        "type indicator",
        "related pulses",
        "filehashsha256",
        "copyright",
        "ipv6",
        "germany",
        "italy",
        "trojan",
        "trojanspy",
        "worm",
        "trojanclicker",
        "virtool",
        "service",
        "linux x8664",
        "khtml",
        "gecko",
        "veryhigh",
        "redirect",
        "httpsupgrades",
        "collisionbox",
        "runner",
        "gameoverpanel",
        "trex",
        "orgtechhandle",
        "orgtechref",
        "director",
        "university",
        "nethandle",
        "net168",
        "net1680000",
        "ucha",
        "orgid",
        "east",
        "report spam",
        "as8075",
        "servers",
        "secure server",
        "error all",
        "typeof",
        "error f",
        "crazy doll",
        "created",
        "filehashmd5",
        "types of",
        "russia",
        "emotet type",
        "mirai type",
        "mirai",
        "mtb description",
        "win32 type",
        "as31034 aruba",
        "italy unknown",
        "as19527 google",
        "encrypt",
        "health type",
        "miori hackers",
        "brute force",
        "backdoor",
        "aurora",
        "ip address",
        "path",
        "unis",
        "dotcisoffer",
        "bladabindi",
        "artro",
        "script urls",
        "as46606",
        "brazil unknown",
        "as11284",
        "as10906",
        "apache",
        "lanc type",
        "telper",
        "win32",
        "win64",
        "pulses email",
        "as9009 m247",
        "as7296 alchemy",
        "as14061",
        "as16276",
        "trojandropper",
        "ransom",
        "mtb sep",
        "msie",
        "chrome",
        "ip check",
        "gmt content",
        "pulse submit",
        "url analysis",
        "files ip",
        "aaaa nxdomain",
        "nxdomain",
        "a nxdomain",
        "as22612",
        "dnssec",
        "meta http",
        "accept encoding",
        "request id",
        "united kingdom",
        "div div",
        "arial helvetica",
        "emails",
        "as15169 google",
        "cryp",
        "gmt cache",
        "sameorigin",
        "domain name",
        "code",
        "false",
        "command type",
        "roleselfservice",
        "mcig sep",
        "all search",
        "author avatar",
        "days ago",
        "http",
        "related nids",
        "files location",
        "as30081",
        "gmt contenttype",
        "mozilla",
        "as15133 verizon",
        "whitelisted",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "incapsula",
        "request",
        "softcnapp",
        "overview ip",
        "flag united",
        "files related",
        "as62597 nsone",
        "as31898 oracle",
        "mtb aug",
        "class",
        "twitter",
        "april",
        "secure",
        "httponly",
        "expiresthu",
        "pragma",
        "as13414 twitter",
        "smoke loader",
        "reverse dns",
        "asnone united",
        "idlogin sep",
        "uid38009",
        "expiration",
        "hack type",
        "porn type"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Italy",
        "Aruba"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "Artro",
          "display_name": "Artro",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "66fc29a49b5ac693c8d75122",
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3851,
        "FileHash-MD5": 6012,
        "FileHash-SHA1": 5906,
        "domain": 3330,
        "email": 33,
        "hostname": 4231,
        "CVE": 2,
        "FileHash-SHA256": 8407,
        "CIDR": 2,
        "SSLCertFingerprint": 7
      },
      "indicator_count": 31781,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc7a6778f84c179d27073",
      "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
      "description": "",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:31:34.221000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "69efc567ae24b8285a71099d",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1039,
        "hostname": 868,
        "domain": 687,
        "URL": 2226,
        "FileHash-MD5": 133,
        "FileHash-SHA1": 96,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5064,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc567ae24b8285a71099d",
      "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
      "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:21:59.824000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1037,
        "hostname": 865,
        "domain": 685,
        "URL": 2224,
        "FileHash-MD5": 131,
        "FileHash-SHA1": 94,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5051,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d6c7fec016b76d49ed95ae",
      "name": "VirusTotal report\n                    for index.html",
      "description": "shatter",
      "modified": "2026-05-08T22:06:56.603000",
      "created": "2026-04-08T21:26:22.351000",
      "tags": [
        "performs dns",
        "united",
        "https",
        "found",
        "tls version",
        "mitre attack",
        "network info",
        "processes extra",
        "urls",
        "t1055 process",
        "phishing",
        "next",
        "script",
        "doctype html",
        "variablece2034",
        "head"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 442,
        "FileHash-MD5": 245,
        "FileHash-SHA1": 201,
        "FileHash-SHA256": 573,
        "URL": 570,
        "hostname": 1058,
        "email": 3,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 3094,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "22 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f2dc7db0bb5c5cdaec5a6c",
      "name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
      "description": "",
      "modified": "2026-04-30T04:53:09.713000",
      "created": "2026-04-30T04:37:17.546000",
      "tags": [
        "united",
        "as397240",
        "search",
        "showing",
        "as54113",
        "as397241",
        "unknown",
        "moved",
        "creation date",
        "record value",
        "next",
        "date",
        "body",
        "a domains",
        "passive dns",
        "formbook cnc",
        "checkin",
        "entries",
        "github pages",
        "sea x",
        "accept",
        "status",
        "name servers",
        "certificate",
        "urls",
        "aaaa",
        "cname",
        "meta",
        "whitelisted ip",
        "address",
        "location united",
        "asn as36459",
        "github",
        "less whois",
        "registrar",
        "markmonitor",
        "related tags",
        "as36459",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "pulse pulses",
        "files",
        "ninite",
        "expiration date",
        "domain",
        "hostname",
        "sha256",
        "sha1",
        "ascii text",
        "pattern match",
        "document file",
        "v2 document",
        "utf8",
        "crlf line",
        "beginstring",
        "size",
        "null",
        "hybrid",
        "refresh",
        "span",
        "local",
        "click",
        "strings",
        "error",
        "tools",
        "look",
        "verify",
        "restart",
        "contact",
        "url https",
        "tulach type",
        "role title",
        "added active",
        "pulses url",
        "url http",
        "nextc type",
        "type indicator",
        "related pulses",
        "filehashsha256",
        "copyright",
        "ipv6",
        "germany",
        "italy",
        "trojan",
        "trojanspy",
        "worm",
        "trojanclicker",
        "virtool",
        "service",
        "linux x8664",
        "khtml",
        "gecko",
        "veryhigh",
        "redirect",
        "httpsupgrades",
        "collisionbox",
        "runner",
        "gameoverpanel",
        "trex",
        "orgtechhandle",
        "orgtechref",
        "director",
        "university",
        "nethandle",
        "net168",
        "net1680000",
        "ucha",
        "orgid",
        "east",
        "report spam",
        "as8075",
        "servers",
        "secure server",
        "error all",
        "typeof",
        "error f",
        "crazy doll",
        "created",
        "filehashmd5",
        "types of",
        "russia",
        "emotet type",
        "mirai type",
        "mirai",
        "mtb description",
        "win32 type",
        "as31034 aruba",
        "italy unknown",
        "as19527 google",
        "encrypt",
        "health type",
        "miori hackers",
        "brute force",
        "backdoor",
        "aurora",
        "ip address",
        "path",
        "unis",
        "dotcisoffer",
        "bladabindi",
        "artro",
        "script urls",
        "as46606",
        "brazil unknown",
        "as11284",
        "as10906",
        "apache",
        "lanc type",
        "telper",
        "win32",
        "win64",
        "pulses email",
        "as9009 m247",
        "as7296 alchemy",
        "as14061",
        "as16276",
        "trojandropper",
        "ransom",
        "mtb sep",
        "msie",
        "chrome",
        "ip check",
        "gmt content",
        "pulse submit",
        "url analysis",
        "files ip",
        "aaaa nxdomain",
        "nxdomain",
        "a nxdomain",
        "as22612",
        "dnssec",
        "meta http",
        "accept encoding",
        "request id",
        "united kingdom",
        "div div",
        "arial helvetica",
        "emails",
        "as15169 google",
        "cryp",
        "gmt cache",
        "sameorigin",
        "domain name",
        "code",
        "false",
        "command type",
        "roleselfservice",
        "mcig sep",
        "all search",
        "author avatar",
        "days ago",
        "http",
        "related nids",
        "files location",
        "as30081",
        "gmt contenttype",
        "mozilla",
        "as15133 verizon",
        "whitelisted",
        "meta name",
        "robots content",
        "x ua",
        "ieedge chrome1",
        "incapsula",
        "request",
        "softcnapp",
        "overview ip",
        "flag united",
        "files related",
        "as62597 nsone",
        "as31898 oracle",
        "mtb aug",
        "class",
        "twitter",
        "april",
        "secure",
        "httponly",
        "expiresthu",
        "pragma",
        "as13414 twitter",
        "smoke loader",
        "reverse dns",
        "asnone united",
        "idlogin sep",
        "uid38009",
        "expiration",
        "hack type",
        "porn type"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Italy",
        "Aruba"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "Artro",
          "display_name": "Artro",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "66fc29a49b5ac693c8d75122",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3851,
        "FileHash-MD5": 6012,
        "FileHash-SHA1": 5906,
        "domain": 3330,
        "email": 33,
        "hostname": 4231,
        "CVE": 2,
        "FileHash-SHA256": 8407,
        "CIDR": 2,
        "SSLCertFingerprint": 7
      },
      "indicator_count": 31781,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "31 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6992bae83a5988dff8311490",
      "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
      "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
      "modified": "2026-04-24T13:20:48.450000",
      "created": "2026-02-16T06:36:24.788000",
      "tags": [
        "Obfuscation: XOR-based String Encryption (0x20)",
        "T1110.001 (Brute Force: Password Guessing)",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
        "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
        "#PotentialUS-Origin_FalseFlag_Obfuscation"
      ],
      "references": [
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "T1110.001 (Brute Force: Password Guessing)",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
      ],
      "public": 1,
      "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Malware Family: StealthWorker / GoBrut",
          "display_name": "Malware Family: StealthWorker / GoBrut",
          "target": "/malware/Malware Family: StealthWorker / GoBrut"
        },
        {
          "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
          "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 2166,
        "FileHash-SHA1": 2067,
        "FileHash-SHA256": 3371,
        "domain": 13295,
        "URL": 6860,
        "email": 272,
        "hostname": 4705,
        "SSLCertFingerprint": 268,
        "CVE": 108,
        "CIDR": 6
      },
      "indicator_count": 33118,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 82,
      "modified_text": "37 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b7241a63b7527ac2b04d60",
      "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]",
      "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019  by msudosos notated in  references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]",
      "modified": "2026-04-14T18:06:37.524000",
      "created": "2026-03-15T21:26:50.218000",
      "tags": [
        "man software",
        "destination",
        "port",
        "united",
        "delete",
        "read c",
        "virustotal",
        "patched3_c.akrv",
        "armadillov171",
        "dod",
        "thinkman",
        "win32",
        "trojan",
        "present mar",
        "backdoor",
        "urls",
        "files",
        "unknown",
        "search",
        "china as23724",
        "asnone",
        "artemis",
        "zeppelin",
        "drweb",
        "vipre",
        "panda",
        "malware",
        "suspicious",
        "cloud",
        "logic",
        "et trojan",
        "et info",
        "download",
        "windows",
        "embeddedwb",
        "shellexecuteexw",
        "msie",
        "windows nt",
        "writeconsolew",
        "displayname",
        "service",
        "ids detections",
        "yara detections",
        "crypt",
        "medium",
        "whitelisted",
        "passive dns",
        "worm",
        "mtb may",
        "mtb aug",
        "otx logo",
        "all ipv4",
        "pulse pulses",
        "dynamicloader",
        "yara rule",
        "ff d5",
        "high",
        "reg add",
        "regsz d",
        "write",
        "file type",
        "pexe",
        "pe32",
        "intel",
        "ms windows",
        "pe packer",
        "pm size",
        "pehash",
        "richhash",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "found",
        "over",
        "sha256",
        "sha1",
        "ascii text",
        "size",
        "mitre att",
        "pattern match",
        "null",
        "span",
        "error",
        "body",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "refresh",
        "tools",
        "title",
        "show technique",
        "look",
        "verify",
        "restart",
        "t1480 execution",
        "navy",
        "reputation",
        "adult content",
        "cyber warfare"
      ],
      "references": [
        "AVDetections:  Patched3_c.AKRV",
        "Yara Detections: Armadillov171",
        "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
        "IP\u2019s Contacted:  8.8.8.8  78.46.218.253  74.208.229.157  192.5.41.40",
        "Contacted Domains:  tick.usno.navy.mil www.thinkman.com",
        "AS27064 DOD Network Information Center? |  192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
        "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
        "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
        "AS15169 google llc  | 8.8.8.8\t| dns.google | United States",
        "Email: d4@thinkman.com",
        "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
        "ASN AS27064 dod network information center",
        "Nameservers: dns5.disa.mil. ,  dns4.disa.mil. ,  squad.navo.mil. ,  crnaone.navy.mil. ,  dns1.disa.mil.",
        "Nameservers: squid.navo. ,  squid.navo.mil. ,  dns2.disa.mil. ,  minnow.navo. ,  navy.mil. ,  dns3.disa.mil.",
        "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
        "TrojanDownloader:Win32/Umbald.A\tMalware infection",
        "IDS Detections: Win32/Tofsee.AX google.com connectivity check",
        "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
        "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
        "Alerts: stealth_window packer_entropy uses_windows_utilities",
        "Alerts: console_output antivm_memory_available pe_features",
        "Yara Detections: MS_Visual_Basic_6_0",
        "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
        "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
        "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
        "Alerts:  injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
        "Alerts:  queries_user_name queries_keyboard_layout queries_locale_api",
        "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
        "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
        "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
        "navy.mil \u2022 http://acts.navair.navy.mil \u2022  http://logistics.navair.navy.mil/rcm/",
        "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
        "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
        "444ea032708bb0d940de0ef72b944244 | credit msudosos",
        "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
        "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
        "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
        "DoD related:  192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
        "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
        "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
        "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
        "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
        "mailbox.co.za",
        "fmx32.aig.com \u2022  167.230.105.81",
        "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Patched3_c.AKRV",
          "display_name": "Patched3_c.AKRV",
          "target": null
        },
        {
          "id": "Win32:Agent-ALXE\\ [Rtk]",
          "display_name": "Win32:Agent-ALXE\\ [Rtk]",
          "target": null
        },
        {
          "id": "Win.Trojan.Rootkit-4668",
          "display_name": "Win.Trojan.Rootkit-4668",
          "target": null
        },
        {
          "id": "Trojan:Win32/Tiggre!rfn",
          "display_name": "Trojan:Win32/Tiggre!rfn",
          "target": "/malware/Trojan:Win32/Tiggre!rfn"
        },
        {
          "id": "Win32:Malware-gen",
          "display_name": "Win32:Malware-gen",
          "target": null
        },
        {
          "id": "Win32:Trojan-gen",
          "display_name": "Win32:Trojan-gen",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Tofsee.T",
          "display_name": "Backdoor:Win32/Tofsee.T",
          "target": "/malware/Backdoor:Win32/Tofsee.T"
        },
        {
          "id": "Inject2.BIVE",
          "display_name": "Inject2.BIVE",
          "target": null
        },
        {
          "id": "Crypt3.CHZW",
          "display_name": "Crypt3.CHZW",
          "target": null
        },
        {
          "id": "Crypt3.BXVC",
          "display_name": "Crypt3.BXVC",
          "target": null
        },
        {
          "id": "Crypt3.BXMJ",
          "display_name": "Crypt3.BXMJ",
          "target": null
        },
        {
          "id": "Crypt3.BOQD\t\t Inject2.BHBW",
          "display_name": "Crypt3.BOQD\t\t Inject2.BHBW",
          "target": null
        },
        {
          "id": "Crypt3.BMVU",
          "display_name": "Crypt3.BMVU",
          "target": null
        },
        {
          "id": "Trojan.DownLoader12.43161",
          "display_name": "Trojan.DownLoader12.43161",
          "target": null
        },
        {
          "id": "HEUR/UnSec",
          "display_name": "HEUR/UnSec",
          "target": null
        },
        {
          "id": "ET Trojan",
          "display_name": "ET Trojan",
          "target": null
        },
        {
          "id": "Win32:Trojan-gen",
          "display_name": "Win32:Trojan-gen",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Umbald.A",
          "display_name": "TrojanDownloader:Win32/Umbald.A",
          "target": "/malware/TrojanDownloader:Win32/Umbald.A"
        }
      ],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1100",
          "name": "Web Shell",
          "display_name": "T1100 - Web Shell"
        },
        {
          "id": "T1156",
          "name": "Malicious Shell Modification",
          "display_name": "T1156 - Malicious Shell Modification"
        },
        {
          "id": "T1587.001",
          "name": "Malware",
          "display_name": "T1587.001 - Malware"
        },
        {
          "id": "T1608.001",
          "name": "Upload Malware",
          "display_name": "T1608.001 - Upload Malware"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1048",
          "name": "Exfiltration Over Alternative Protocol",
          "display_name": "T1048 - Exfiltration Over Alternative Protocol"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1562.001",
          "name": "Disable or Modify Tools",
          "display_name": "T1562.001 - Disable or Modify Tools"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1048.003",
          "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
          "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1048.001",
          "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
          "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1568.002",
          "name": "Domain Generation Algorithms",
          "display_name": "T1568.002 - Domain Generation Algorithms"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        }
      ],
      "industries": [
        "Government",
        "Military",
        "Defense",
        "Insurance"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 165,
        "FileHash-SHA1": 165,
        "FileHash-SHA256": 3524,
        "URL": 11424,
        "email": 1,
        "hostname": 3954,
        "domain": 2523
      },
      "indicator_count": 21756,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "46 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b92a27c47d4e28927364",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:26.110000",
      "created": "2026-03-12T13:01:30.067000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 72,
      "modified_text": "80 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b9295603a6100edfa8c8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:25.387000",
      "created": "2026-03-12T13:01:29.284000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "80 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "excite.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "excite.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780246912.5915453
}