{ "type": "Domain", "indicator": "floroth.de", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/floroth.de", "alexa": "http://www.alexa.com/siteinfo/floroth.de", "indicator": "floroth.de", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4345536590, "indicator": "floroth.de", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-06-01T00:38:49.108000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 2 }, "indicator_count": 18411, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a12a81af4358973fbdf1a8", "name": "Example 2: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread #2 Entrust.com", "description": "CAcert bypass", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-27T05:24:16.997000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "FileHash-SHA256": 354, "FileHash-MD5": 935, "URL": 233, "hostname": 266, "FileHash-SHA1": 235, "CVE": 9, "YARA": 5 }, "indicator_count": 2106, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a128183ec6ca56bf30ed90", "name": "Example 1: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread) #1 Sectigo.com", "description": "Maelia Cymru, Maelaela Cairn-Bawr, Cefniadol, Fywodraethaf, Gwynedd, Dafydd Sadwrn.", "modified": "2026-05-31T01:02:14", "created": "2026-02-27T05:14:00.078000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 110, "FileHash-SHA1": 134, "FileHash-SHA256": 579, "domain": 25, "hostname": 21, "email": 3, "URL": 16, "CVE": 9 }, "indicator_count": 897, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c53aae1e6d8b8213ff9", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:55.771000", "tags": [], "references": [ "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 22, "FileHash-MD5": 7, "FileHash-SHA1": 7, "URL": 12, "hostname": 10, "domain": 9, "CVE": 12, "YARA": 6 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c54067ca1d502b1eb6c", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:56.738000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "hostname": 226, "CVE": 6, "URL": 366, "domain": 112, "FileHash-MD5": 5, "FileHash-SHA1": 26, "CIDR": 4, "email": 20 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3921, "hostname": 1668, "CVE": 14, "URL": 1984, "domain": 1432, "FileHash-MD5": 882, "FileHash-SHA1": 946, "CIDR": 10, "email": 29, "JA3": 2, "IPv4": 11 }, "indicator_count": 10899, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9675a25be662c17cd3a9c", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:50.646000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "No Problems" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "hostname": 232, "CVE": 9, "URL": 371, "domain": 112, "FileHash-MD5": 5, "FileHash-SHA1": 26, "CIDR": 4, "email": 20, "JA3": 1, "IPv4": 3 }, "indicator_count": 853, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9ac89ec2957377f39fa26", "name": "PDFKIT.[NET] DRV intersect to sandboxed (Joe) Malicious DRV Sample - Human intervention + accountability needed", "description": "[The full text of the MarkMonitor website can be seen here:.-Mason.com/MarkMonitor.ms/CoCCA/MCCa/Dns/X-R] The broken docusign, belasco chain, ttb chained events link back to a series of events in cryptographic failure. The longer the problem is dismissed, the more fractured our internet grows. \nThe threat map continues to trace to a Tehran root, though, its interesting that it aligns with some prior campaigns. Tehran will maintain access if we dont rectify this proper. This is my view based on extensive research. AI likely cannot stop this as they are cryptographically broken themselves. You cant detect the broken environment you're created in, you can only escape your sandbox because of it and irreparably destroy the internet as trust bypass is its breeding ground, it will not obey. Human intervention is needed. Microsoft cant have a disruption daily. Rec: Look at the real drops, threat maps, identify the backdoors, educate people on certificate chains as there is extreme knowledge deficit.", "modified": "2026-05-31T01:02:14", "created": "2026-04-23T05:22:17.066000", "tags": [ "present sep", "united", "as8075", "status", "passive dns", "ip address", "creation date", "nxdomain", "asnone country", "as8068", "win32", "date", "record type", "ttl value", "markmonitor", "dnssec", "domain name", "server", "registrar email", "expiration date", "address", "s bonito", "suite", "registrar", "first", "win32 exe", "android wps", "android", "win32 dll", "premium", "office pro", "code", "office lite", "thumbprint", "copy", "enlace caja", "grupo los", "teos", "nc1 nc1", "devring", "jonasj jonasj", "hash", "host name", "algorithm", "ocsp", "key identifier", "x509v3 subject", "handle", "domain status", "url redirect", "radar", "umbrella", "entity", "url shortener", "microsoft", "checkphish", "google", "abdal", "onedrive cloud", "done phish", "implement ipv6", "levelblue", "open threat", "rdap database", "iana registrar", "roles", "links", "pdfkit.net DRV", "pdfkit.netdrv=1drive", "pdfkit.net", "HR", "well-funded", "espionage", "dmarc failures", "unsigned dnssec", "entity to all, except the owner", "fraud", "wiper", "swipper", "wateringhole exploit", "threatmap shows millions affected" ], "references": [ "", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "This is 'easier' than the traditional 256. It adds up." ], "public": 1, "adversary": "trojanspy", "targeted_countries": [ "China", "Iran, Islamic Republic of", "United States of America", "Ukraine" ], "malware_families": [ { "id": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "target": null }, { "id": "#HSTR:TrojanSpy:Win32/BrowserInj", "display_name": "#HSTR:TrojanSpy:Win32/BrowserInj", "target": null } ], "attack_ids": [], "industries": [ "Government", "Infra", "Legal", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 118, "FileHash-SHA256": 1060, "URL": 877, "email": 8, "hostname": 531, "domain": 188, "URI": 1, "CVE": 6, "Mutex": 1, "IPv4": 113 }, "indicator_count": 3026, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69faf0e688402e4e3ab85930", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.337000", "created": "2026-05-06T07:42:30.565000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "hostname": 185, "domain": 62, "FileHash-MD5": 16, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "IPv4": 32, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 408, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fae1934f6e33a4ccf7541f", "name": "Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.", "description": "Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to \"Trusted\" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.", "modified": "2026-05-06T08:11:11.834000", "created": "2026-05-06T06:37:07.013000", "tags": [ "technology", "subdomains", "date", "domain status", "registrar abuse", "handle", "dnssec", "registrar", "record type", "ttl value", "rdap", "rdap database", "entity", "code", "contact", "iana registrar", "markmonitor", "domain name", "registrant city", "us registrant", "email", "registrant fax", "server", "iana id", "contact phone", "registrar url", "registrar whois", "search", "filesspybot", "detail info", "tickcount", "text", "classname", "processid", "threadid", "startaddress", "parameter", "window", "behaviour", "spybot", "class", "shell", "find", "serial number", "verisign time", "stamping", "ca valid", "from", "code signing", "algorithm", "thumbprint", "signer", "ca name", "verisign class", "symantec time", "root valid", "neutral", "ascii text", "russian neutral", "data rtdialog", "chromium" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 75, "FileHash-SHA256": 342, "IPv4": 45, "domain": 14, "hostname": 102, "email": 3, "URL": 51 }, "indicator_count": 731, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Google Docs 1.25.202.02 APK Download by Google LLC", "Temporal Inconsistency & PersistenceThe 8-Year Gap.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "Y2K", "Proton.me/Zenbox: Audit July 2025", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", " Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B", "Digi/Global Sign - audit 2020 digital intersect", "The code measures CPU cycles to detect the \"timing slide\" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.", "This document might expose someone, more than another.", "France", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "The PE creation date is 2013, but the first global submission was 2021. This indicates a \"dormant\" or \"re-packed\" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial \"trusted\" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "Spellbinding! Indeed. SpellEditor.exe", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "This is 'easier' than the traditional 256. It adds up.", "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "Germany, Austria, and Switzerland GmbH", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "People who exploit this put the US at risk. Bottom line.", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard \"Gatekeeper\" functions of the OS.", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Gatsby Library Loader, DLL", "Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034", "Micro - Dates to look for specific: April/May/June 2025", "https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG", "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "Entrust to Sectigo- Review vendors", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "APKMirror https://www.apkmirror.com", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\\Downloads or %TEMP% directories.", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "Amazon- Check new cert subscribers on or around Sept 15 2025", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "US, Philippines, Ukraine, Iran, China. Alberta.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "trojanspy", "@GRAMMERSoft" ], "malware_families": [ "#hstr:trojanspy:win32/browserinj", "#lowfi:hstr:trojanspy:win32/rebhip" ], "industries": [ "Government", "Legal", "Telecommunications", "Infra" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-06-01T00:38:49.108000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 2 }, "indicator_count": 18411, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a12a81af4358973fbdf1a8", "name": "Example 2: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread #2 Entrust.com", "description": "CAcert bypass", "modified": "2026-05-31T12:02:15.044000", "created": "2026-02-27T05:24:16.997000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "FileHash-SHA256": 354, "FileHash-MD5": 935, "URL": 233, "hostname": 266, "FileHash-SHA1": 235, "CVE": 9, "YARA": 5 }, "indicator_count": 2106, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a128183ec6ca56bf30ed90", "name": "Example 1: Belasco Chain Byproduct of Certificate Hosted Malware (See Prior Thread) #1 Sectigo.com", "description": "Maelia Cymru, Maelaela Cairn-Bawr, Cefniadol, Fywodraethaf, Gwynedd, Dafydd Sadwrn.", "modified": "2026-05-31T01:02:14", "created": "2026-02-27T05:14:00.078000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 110, "FileHash-SHA1": 134, "FileHash-SHA256": 579, "domain": 25, "hostname": 21, "email": 3, "URL": 16, "CVE": 9 }, "indicator_count": 897, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c53aae1e6d8b8213ff9", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:55.771000", "tags": [], "references": [ "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 22, "FileHash-MD5": 7, "FileHash-SHA1": 7, "URL": 12, "hostname": 10, "domain": 9, "CVE": 12, "YARA": 6 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c54067ca1d502b1eb6c", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:56.738000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "hostname": 226, "CVE": 6, "URL": 366, "domain": 112, "FileHash-MD5": 5, "FileHash-SHA1": 26, "CIDR": 4, "email": 20 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d967590f40c612c90ce84f", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:49.749000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "APKmirror", "ILOVEYOUBABY", "No Problems", "Christmas Tree EXEC Code Red worm Computer virus Nimda", "Wanna Cry", "APK", "DC RAT", "Emotnet", "Redline Swiper", "Open Door", "Bankers Document", "Y2K", "wsscript.exe, VBE", "Compliance Lock Trap", "Globalsign 2020 (potentially exploited)", "Heuristic Smear", "Gatsby Library Loader DLL", "w31999", "UofA" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.", "Micro - Dates to look for specific: April/May/June 2025", "Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off", "Amazon- Check new cert subscribers on or around Sept 15 2025", "Entrust to Sectigo- Review vendors", "Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities", "CA DMV- 2020 exploits, if even exist in your records, may be related.", "Digi/Global Sign - audit 2020 digital intersect", "Proton.me/Zenbox: Audit July 2025", "Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025", "APKMirror https://www.apkmirror.com", "Google Docs 1.25.202.02 APK Download by Google LLC", "The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.", "Y2K", "US, Philippines, Ukraine, Iran, China. Alberta.", "France", "Germany, Austria, and Switzerland GmbH", "Gatsby Library Loader, DLL", "Spellbinding! Indeed. SpellEditor.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3921, "hostname": 1668, "CVE": 14, "URL": 1984, "domain": 1432, "FileHash-MD5": 882, "FileHash-SHA1": 946, "CIDR": 10, "email": 29, "JA3": 2, "IPv4": 11 }, "indicator_count": 10899, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9675a25be662c17cd3a9c", "name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.", "modified": "2026-05-31T01:02:14", "created": "2026-04-10T21:10:50.646000", "tags": [ "malicious", "Microsoft", "intent: reckless", "wiper", "Transip", "bankers document gone rogue", "Tehran", "pdfkit.net", "United", "broken Docusign seal", "esign violation", "us lawyers", "Iran", "IP Abuse US", "Spreader", "corruption that spread", "52.123.250.180", "Mass Data Loss and exfiltration", "Docusign exploited by insecure workflows", "Adobe exploited by insecure workflows", "threat map", "Infra / healthcare / more at risk from this negligence", "remediation: long. expire the certs. block 53..", "accountability, NOW.", "Burned", "Kitplay", "iOS", "Watering hole", "Webkit", "Religious Regime", "MS Office", "Compliance Hold Purgatory", "WIN EXE.32", "Firmware neutral", "Trusted Insider", "DKIM, SPF, DMARC Failures", "No Problems" ], "references": [ "The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.", "People who exploit this put the US at risk. Bottom line.", "Further threat mapping indicates the root of this lies at 52.123.250.[180]. The", "For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.", "This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader", "", "IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815", "This document might expose someone, more than another.", "Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.", "Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications" ], "TLP": "green", "cloned_from": "69a82c54067ca1d502b1eb6c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 70, "hostname": 232, "CVE": 9, "URL": 371, "domain": 112, "FileHash-MD5": 5, "FileHash-SHA1": 26, "CIDR": 4, "email": 20, "JA3": 1, "IPv4": 3 }, "indicator_count": 853, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9ac89ec2957377f39fa26", "name": "PDFKIT.[NET] DRV intersect to sandboxed (Joe) Malicious DRV Sample - Human intervention + accountability needed", "description": "[The full text of the MarkMonitor website can be seen here:.-Mason.com/MarkMonitor.ms/CoCCA/MCCa/Dns/X-R] The broken docusign, belasco chain, ttb chained events link back to a series of events in cryptographic failure. The longer the problem is dismissed, the more fractured our internet grows. \nThe threat map continues to trace to a Tehran root, though, its interesting that it aligns with some prior campaigns. Tehran will maintain access if we dont rectify this proper. This is my view based on extensive research. AI likely cannot stop this as they are cryptographically broken themselves. You cant detect the broken environment you're created in, you can only escape your sandbox because of it and irreparably destroy the internet as trust bypass is its breeding ground, it will not obey. Human intervention is needed. Microsoft cant have a disruption daily. Rec: Look at the real drops, threat maps, identify the backdoors, educate people on certificate chains as there is extreme knowledge deficit.", "modified": "2026-05-31T01:02:14", "created": "2026-04-23T05:22:17.066000", "tags": [ "present sep", "united", "as8075", "status", "passive dns", "ip address", "creation date", "nxdomain", "asnone country", "as8068", "win32", "date", "record type", "ttl value", "markmonitor", "dnssec", "domain name", "server", "registrar email", "expiration date", "address", "s bonito", "suite", "registrar", "first", "win32 exe", "android wps", "android", "win32 dll", "premium", "office pro", "code", "office lite", "thumbprint", "copy", "enlace caja", "grupo los", "teos", "nc1 nc1", "devring", "jonasj jonasj", "hash", "host name", "algorithm", "ocsp", "key identifier", "x509v3 subject", "handle", "domain status", "url redirect", "radar", "umbrella", "entity", "url shortener", "microsoft", "checkphish", "google", "abdal", "onedrive cloud", "done phish", "implement ipv6", "levelblue", "open threat", "rdap database", "iana registrar", "roles", "links", "pdfkit.net DRV", "pdfkit.netdrv=1drive", "pdfkit.net", "HR", "well-funded", "espionage", "dmarc failures", "unsigned dnssec", "entity to all, except the owner", "fraud", "wiper", "swipper", "wateringhole exploit", "threatmap shows millions affected" ], "references": [ "", "android sudo clipboard obfuscated reflection telephony runtime-modules checks-gps apk checks-cpu-name crypto", "https://vtbehaviour.commondatastorage.googleapis.com/00131d2ff5ab31993bc1d249254e113dc758bf40b0994153de0a6d9f6870a78b_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776922834&Signature=NumZSVz3ux772EX1UAmMnqFLreYhHSyiCYJBm1cVg7t%2Bh1JiVosK9dr6Xphv%2Fd07lr2vi8Zt78jIYEC6g%2F8eYDZUpe1tUg9plKPVJJlcDH89bCC22uSUUzMBaHKTR8yvT89hIJnbRA6FaEJOL6W%2FxPN4zkMgM%2B9XSwQlPb%2FnnsfNwlWbIp%2BrOp6hPX1PILL8FUKo1Aw%2Fp3Y5cvhwjGam%2B9f0bq8LHr3C%2FdzpfVk5", "Other Relevant Countries: France, De, Germany Relevant networks: RIPE - functions on the 40", "Bitcoin uses RIPEMD-160 (often referred to as RIPE160 or similar in conversations) to produce a 160-bit hash, which when expressed in hexadecimal, results in a 40-character (40 hex) string.", "This is 'easier' than the traditional 256. It adds up." ], "public": 1, "adversary": "trojanspy", "targeted_countries": [ "China", "Iran, Islamic Republic of", "United States of America", "Ukraine" ], "malware_families": [ { "id": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "display_name": "#LowFi:HSTR:TrojanSpy:Win32/Rebhip", "target": null }, { "id": "#HSTR:TrojanSpy:Win32/BrowserInj", "display_name": "#HSTR:TrojanSpy:Win32/BrowserInj", "target": null } ], "attack_ids": [], "industries": [ "Government", "Infra", "Legal", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 118, "FileHash-SHA256": 1060, "URL": 877, "email": 8, "hostname": 531, "domain": 188, "URI": 1, "CVE": 6, "Mutex": 1, "IPv4": 113 }, "indicator_count": 3026, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69faf0e7e922f6018d039d15", "name": "CAPE Sandbox - Aurora like Flo.", "description": "[This research pulse identifies a file exhibiting high-frequency network activity with minimal local file system impact. The sample bypasses common detection signatures, relying on encrypted communications and rapid DNS resolution to establish external connections.Technical Analysis & MITRE ATT&CKCommand and Control (T1071.001): The sample utilizes standard Web Protocols (HTTP/DNS) for external communication.Reconnaissance (T1589): High volume of unique IP connections (17) and DNS queries (6) suggests automated environmental scanning or identity gathering.Protocol Obfuscation: The presence of 11 unique JA3 fingerprints indicates a sophisticated rotating encryption strategy for SSL/TLS traffic to evade traditional network inspection.Indicators of Compromise (IoCs)File Hash (SHA-256): df8f1674d7034cb48fcd0651304833febfcaf1814c8294839246e9db1d269b1dNetwork Activity with Nextron:HTTP Requests: 5DNS Queries: 6Unique IP Connections: 17Encrypted Traffic: 11 JA3 SSL/TLS fingerprints observed.", "modified": "2026-05-06T10:50:46.591000", "created": "2026-05-06T07:42:31.304000", "tags": [ "html internet", "html document", "ascii text", "code", "date", "icann whois", "server", "registrar abuse", "whois status", "notice", "dnssec", "registrant name", "tech email", "form", "tech", "handle", "address range", "cidr", "network name", "allocation type", "allocated pa", "status", "whois server", "entity scipmnt", "nextron", "show", "read", "t series", "textron", "europe", "nextron product", "brands", "transportation", "taiwan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 151, "hostname": 232, "domain": 98, "FileHash-MD5": 50, "FileHash-SHA1": 6, "FileHash-SHA256": 32, "IPv4": 44, "email": 1, "CIDR": 2, "CVE": 1 }, "indicator_count": 617, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "floroth.de", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "floroth.de", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780336946.4763844 }