{ "type": "Domain", "indicator": "fixtracking.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fixtracking.com", "alexa": "http://www.alexa.com/siteinfo/fixtracking.com", "indicator": "fixtracking.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2942748047, "indicator": "fixtracking.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69da656a68549f39be14bd77", "name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise", "description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat", "modified": "2026-04-11T15:14:50.815000", "created": "2026-04-11T15:14:50.815000", "tags": [ "united", "unknown ns", "ip address", "st kitts", "gmt content", "ai chat", "all domain", "encrypt", "mtb mar", "virtool", "x frame", "x xss", "x content", "gmt cache", "twitter", "win32", "locale", "extraction", "gm cache", "include data", "review exclude", "suggestadiacs", "report spam", "duckduckgo", "url http", "urls", "all url", "http", "active", "duck.ai", "duckduckgo ai", "private ai", "chatbot", "free ai", "chat", "anonymous ai", "ai chat", "no sign up", "openai", "anthropic", "llama", "mistral", "open source", "javascript", "ai models", "privacy focused", "recording screen", "ai", "no account ai chat", "data upload", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "ssl certificate", "over", "defense evasion", "mitre att", "ck matrix", "size", "meta", "april", "hybrid", "general", "local", "path", "click", "strings", "dark", "roboto", "invisible", "desktop", "small", "tls sni", "contacted", "filehash", "ids detections", "yara detections", "alerts", "file sharing", "https domain", "tls handshake", "failure alerts", "less ip", "nextcloud", "hackers", "they mad", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "malware", "write", "self", "network_icmp", "icmp traffic", "passive dns", "moved", "netherlands", "gmt server", "gmt etag", "user agent", "all ipv4", "pulse submit", "url analysis", "apache", "accept", "writeconsolea", "script", "read c", "search", "show", "medium", "html", "high", "form", "create c", "write c", "registry", "windows", "delete c", "tools", "persistence", "execution", "dock", "malicious", "unknown" ], "references": [ "duck.ai \u2022 https://duck.ai/chat phishing", "go.trckclick.xyz \u2022 att.trk.173trk.com", "anyconnect.online", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "files.catbox.moe", "passwordresetalcb.accenture.cn", "https://www.phantomcameras.cn.bscedge.com", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "loophole.outlook89.accesscam.org", "https://www.phantomcameras.cn/applications/where/piv", "https://www.phantomcameras.cn.bscedge.com", "52.250.42.157 scanning_host", "https://nextcloud.simonduffey.ch", "https://nextcloud.paroxity.org/", "http://mail.saynextapp.accesscam.org/", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "https://duck.ai/apple-touch-icon.png", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "http://up.chenmin.org/login/jquery.min.js", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "Win.Packed.Reline-9875163-0", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "Alerts: antivm_memory_available pe_features raises", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://www.mof.gov.cn.lxcvc.com/", "https://cms.medicarementalhealthcheckin.gov.au", "https://duck.ai/apple-touch-icon.png", "edge-mobile-static.azureedge.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "target": null }, { "id": "VirTool:MSIL/Mousewe.A!MTB", "display_name": "VirTool:MSIL/Mousewe.A!MTB", "target": "/malware/VirTool:MSIL/Mousewe.A!MTB" }, { "id": "Win.Packed.Reline-9875163-0", "display_name": "Win.Packed.Reline-9875163-0", "target": null } ], "attack_ids": [ { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1181, "FileHash-SHA1": 195, "IPv4": 50, "domain": 320, "hostname": 529, "FileHash-SHA256": 1702, "FileHash-MD5": 201, "SSLCertFingerprint": 8 }, "indicator_count": 4186, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5d127d47a71739be85231", "name": "codered.crisis24.com dnssec unsigned - MA failing cyber safety + recent breaches", "description": "MA in particular lacks many dnssec signatures", "modified": "2026-04-01T18:00:23.406000", "created": "2026-03-02T18:04:23.554000", "tags": [ "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156, "domain": 305, "URL": 208, "FileHash-MD5": 86, "FileHash-SHA1": 20 }, "indicator_count": 775, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "Alerts: antivm_memory_available pe_features raises", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "52.250.42.157 scanning_host", "https://duck.ai/apple-touch-icon.png", "go.trckclick.xyz \u2022 att.trk.173trk.com", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "https://www.phantomcameras.cn/applications/where/piv", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "loophole.outlook89.accesscam.org", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "edge-mobile-static.azureedge.net", "http://up.chenmin.org/login/jquery.min.js", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://nextcloud.simonduffey.ch", "http://mail.saynextapp.accesscam.org/", "files.catbox.moe", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://cms.medicarementalhealthcheckin.gov.au", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "passwordresetalcb.accenture.cn", "Win.Packed.Reline-9875163-0", "anyconnect.online", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "https://www.phantomcameras.cn.bscedge.com", "https://www.mof.gov.cn.lxcvc.com/", "duck.ai \u2022 https://duck.ai/chat phishing", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "https://nextcloud.paroxity.org/", "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win32:malware-gen", "Win.packed.reline-9875163-0", "Virtool:msil/mousewe.a!mtb", "Alf:hstr:trojan:win32/disableuac.a!bit" ], "industries": [ "Telecommunications", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69da656a68549f39be14bd77", "name": "Anonymous ai Chat guided as Duck.ai \u2022 DisableUAC \u2022 Drive by Compromise", "description": "I decided to test most malicious devices I\u2019m researching. I tested 2 browsers on device, an anonymous version of chat GPT 5 popped up (drive by compromise). Labeled: duck.ai in browser bar. I chose to interact with something that came seemingly from nowhere. \n\nDuring each interaction a red recording button appeared. Screen recording in progress on device. I asked anonymous actor about the recording button. Response: \u2018That red square is the browser or site's visual indicator that the page is capturing input or has an active interactive state - it isn't me recording audio. Try these checks:\n\u2022 Look for a site-level microphone/camera permission prompt in your browser address bar.\u2019\n\nThe attackers must be associated with Tulach /\nNextCloud , likely angry that I researched the adversarial nature of the presence in malicious, deeply compromised media. \n\nConsequences: threat actors retaliating because their own behavior and existence in malicious media is being researched. \n#tulach #nextcloud #anonymous_ai_chat", "modified": "2026-04-11T15:14:50.815000", "created": "2026-04-11T15:14:50.815000", "tags": [ "united", "unknown ns", "ip address", "st kitts", "gmt content", "ai chat", "all domain", "encrypt", "mtb mar", "virtool", "x frame", "x xss", "x content", "gmt cache", "twitter", "win32", "locale", "extraction", "gm cache", "include data", "review exclude", "suggestadiacs", "report spam", "duckduckgo", "url http", "urls", "all url", "http", "active", "duck.ai", "duckduckgo ai", "private ai", "chatbot", "free ai", "chat", "anonymous ai", "ai chat", "no sign up", "openai", "anthropic", "llama", "mistral", "open source", "javascript", "ai models", "privacy focused", "recording screen", "ai", "no account ai chat", "data upload", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "ssl certificate", "over", "defense evasion", "mitre att", "ck matrix", "size", "meta", "april", "hybrid", "general", "local", "path", "click", "strings", "dark", "roboto", "invisible", "desktop", "small", "tls sni", "contacted", "filehash", "ids detections", "yara detections", "alerts", "file sharing", "https domain", "tls handshake", "failure alerts", "less ip", "nextcloud", "hackers", "they mad", "msie", "windows nt", "wow64", "slcc2", "media center", "port", "destination", "malware", "write", "self", "network_icmp", "icmp traffic", "passive dns", "moved", "netherlands", "gmt server", "gmt etag", "user agent", "all ipv4", "pulse submit", "url analysis", "apache", "accept", "writeconsolea", "script", "read c", "search", "show", "medium", "html", "high", "form", "create c", "write c", "registry", "windows", "delete c", "tools", "persistence", "execution", "dock", "malicious", "unknown" ], "references": [ "duck.ai \u2022 https://duck.ai/chat phishing", "go.trckclick.xyz \u2022 att.trk.173trk.com", "anyconnect.online", "ddg.gg \u2022 http://ddg.gg/?q=corezuelo \u2022 http://ddg.gg/?q=embozalar", "files.catbox.moe", "passwordresetalcb.accenture.cn", "https://www.phantomcameras.cn.bscedge.com", "www.cam4.page \u2022 campaigncdn.com \u2022 accesscam.org", "loophole.outlook89.accesscam.org", "https://www.phantomcameras.cn/applications/where/piv", "https://www.phantomcameras.cn.bscedge.com", "52.250.42.157 scanning_host", "https://nextcloud.simonduffey.ch", "https://nextcloud.paroxity.org/", "http://mail.saynextapp.accesscam.org/", "http://dict.bing.com.cn/cloudwidget/Scripts/Generated/BingTranslate_Hover_Phrase_Selection_ShowIcon.js';script.onload=INIT;document.body.appendChild(script", "https://duck.ai/chat?q=tsara+brashears+hacked&t=iphone:", "http://docs.duckduckhack.com/walkthroughs/programming-syntax.html", "http://www.duckduckhack.com \u2022 docs.duckduckhack.com", "http://docs.duckduckhack.com/frontend-reference/cheat-sheet-reference.html", "https://duck.ai/apple-touch-icon.png", "http://r13.c.lencr.org/24.crl \u2022 http://r13.i.lencr.org/", "http://up.chenmin.org/login/jquery.min.js", "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "Win.Packed.Reline-9875163-0", "IDS Detections: OpenSSL Demo CA - Internet Widgits Pty (O)", "Alerts: network_icmp nolookup_communication antisandbox_idletime antisandbox_sleep_exception", "Alerts: antivm_generic_bios antivm_firmware antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http nids_alert allocates_rwx antivm_network_adapters", "Alerts: packer_entropy antivm_queries_computername checks_debugger console_output", "Alerts: antivm_memory_available pe_features raises", "IP\u2019s Contacted: 104.18.11.39 104.73.1.162 142.93.108.213 52.250.42.157 72.21.81.240", "Domains Contacted: www.download.windowsupdate.com www.microsoft.com cacerts.digicert.com duckduckgo.com ,", "Redline: https://otx.alienvault.com/otxapi/indicators/file/screenshot/316c67e7150c6841d0d40a180bba390793ffeb9edfb8ec0321e1a16e97f68722", "https://www.mof.gov.cn.lxcvc.com/", "https://cms.medicarementalhealthcheckin.gov.au", "https://duck.ai/apple-touch-icon.png", "edge-mobile-static.azureedge.net" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "display_name": "ALF:HSTR:Trojan:Win32/DisableUAC.A!bit", "target": null }, { "id": "VirTool:MSIL/Mousewe.A!MTB", "display_name": "VirTool:MSIL/Mousewe.A!MTB", "target": "/malware/VirTool:MSIL/Mousewe.A!MTB" }, { "id": "Win.Packed.Reline-9875163-0", "display_name": "Win.Packed.Reline-9875163-0", "target": null } ], "attack_ids": [ { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1462", "name": "Malicious Software Development Tools", "display_name": "T1462 - Malicious Software Development Tools" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1181, "FileHash-SHA1": 195, "IPv4": 50, "domain": 320, "hostname": 529, "FileHash-SHA256": 1702, "FileHash-MD5": 201, "SSLCertFingerprint": 8 }, "indicator_count": 4186, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5d127d47a71739be85231", "name": "codered.crisis24.com dnssec unsigned - MA failing cyber safety + recent breaches", "description": "MA in particular lacks many dnssec signatures", "modified": "2026-04-01T18:00:23.406000", "created": "2026-03-02T18:04:23.554000", "tags": [ "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156, "domain": 305, "URL": 208, "FileHash-MD5": 86, "FileHash-SHA1": 20 }, "indicator_count": 775, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fixtracking.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fixtracking.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776641474.518609 }