{
"type": "Domain",
"indicator": "fmgirl.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/fmgirl.com",
"alexa": "http://www.alexa.com/siteinfo/fmgirl.com",
"indicator": "fmgirl.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3078177492,
"indicator": "fmgirl.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 5,
"pulses": [
{
"id": "69f2dc7e076cbfe2d0f7eb90",
"name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
"description": "",
"modified": "2026-05-30T00:28:12.957000",
"created": "2026-04-30T04:37:18.870000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66fc29a49b5ac693c8d75122",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3851,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3330,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69f2dc7db0bb5c5cdaec5a6c",
"name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
"description": "",
"modified": "2026-04-30T04:53:09.713000",
"created": "2026-04-30T04:37:17.546000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66fc29a49b5ac693c8d75122",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3851,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3330,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "31 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6854082f2edb40c1c80b0831",
"name": "JSDdelivr blocklist",
"description": "",
"modified": "2025-06-19T14:28:09.610000",
"created": "2025-06-19T12:53:03.734000",
"tags": [],
"references": [
"https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 5675,
"hostname": 171
},
"indicator_count": 5846,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 183,
"modified_text": "345 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66fc29a49b5ac693c8d75122",
"name": "Medical Campus - Aurora, Co | Recheck",
"description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
"modified": "2024-10-31T16:03:52.240000",
"created": "2024-10-01T16:56:04.004000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3850,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3329,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 236,
"modified_text": "576 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"https://l.us-1.a.mimecastprotect.com/l",
"div>
",
"Same legal , and quasi governmental pattern identified",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"I apologize for the lack of reference.",
"https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt",
"It appears there are 5-7 known affected that I was able to find",
"Requires further research.",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"Will pulse remaining Apple IoC\u2019s in next pulse"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Icedid",
"Trojan:win32/smkldr.h!mtb",
"Mirai",
"Mydoom",
"#lowfi:lua:dllsuspiciousexport.a",
"Artro"
],
"industries": [
"Technology",
"Legal",
"Telecom"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 5,
"pulses": [
{
"id": "69f2dc7e076cbfe2d0f7eb90",
"name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
"description": "",
"modified": "2026-05-30T00:28:12.957000",
"created": "2026-04-30T04:37:18.870000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66fc29a49b5ac693c8d75122",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3851,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3330,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 69,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69f2dc7db0bb5c5cdaec5a6c",
"name": "credit scoreblue [Medical Campus - Aurora, Co | Recheck]",
"description": "",
"modified": "2026-04-30T04:53:09.713000",
"created": "2026-04-30T04:37:17.546000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "66fc29a49b5ac693c8d75122",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3851,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3330,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 66,
"modified_text": "31 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6854082f2edb40c1c80b0831",
"name": "JSDdelivr blocklist",
"description": "",
"modified": "2025-06-19T14:28:09.610000",
"created": "2025-06-19T12:53:03.734000",
"tags": [],
"references": [
"https://cdn.jsdelivr.net/gh/salaryman-technologies/quickpick@refs/heads/main/blocklist.txt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 5675,
"hostname": 171
},
"indicator_count": 5846,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 183,
"modified_text": "345 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": false,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66fc29a49b5ac693c8d75122",
"name": "Medical Campus - Aurora, Co | Recheck",
"description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB",
"modified": "2024-10-31T16:03:52.240000",
"created": "2024-10-01T16:56:04.004000",
"tags": [
"united",
"as397240",
"search",
"showing",
"as54113",
"as397241",
"unknown",
"moved",
"creation date",
"record value",
"next",
"date",
"body",
"a domains",
"passive dns",
"formbook cnc",
"checkin",
"entries",
"github pages",
"sea x",
"accept",
"status",
"name servers",
"certificate",
"urls",
"aaaa",
"cname",
"meta",
"whitelisted ip",
"address",
"location united",
"asn as36459",
"github",
"less whois",
"registrar",
"markmonitor",
"related tags",
"as36459",
"scan endpoints",
"all scoreblue",
"ipv4",
"pulse pulses",
"files",
"ninite",
"expiration date",
"domain",
"hostname",
"sha256",
"sha1",
"ascii text",
"pattern match",
"document file",
"v2 document",
"utf8",
"crlf line",
"beginstring",
"size",
"null",
"hybrid",
"refresh",
"span",
"local",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"contact",
"url https",
"tulach type",
"role title",
"added active",
"pulses url",
"url http",
"nextc type",
"type indicator",
"related pulses",
"filehashsha256",
"copyright",
"ipv6",
"germany",
"italy",
"trojan",
"trojanspy",
"worm",
"trojanclicker",
"virtool",
"service",
"linux x8664",
"khtml",
"gecko",
"veryhigh",
"redirect",
"httpsupgrades",
"collisionbox",
"runner",
"gameoverpanel",
"trex",
"orgtechhandle",
"orgtechref",
"director",
"university",
"nethandle",
"net168",
"net1680000",
"ucha",
"orgid",
"east",
"report spam",
"as8075",
"servers",
"secure server",
"error all",
"typeof",
"error f",
"crazy doll",
"created",
"filehashmd5",
"types of",
"russia",
"emotet type",
"mirai type",
"mirai",
"mtb description",
"win32 type",
"as31034 aruba",
"italy unknown",
"as19527 google",
"encrypt",
"health type",
"miori hackers",
"brute force",
"backdoor",
"aurora",
"ip address",
"path",
"unis",
"dotcisoffer",
"bladabindi",
"artro",
"script urls",
"as46606",
"brazil unknown",
"as11284",
"as10906",
"apache",
"lanc type",
"telper",
"win32",
"win64",
"pulses email",
"as9009 m247",
"as7296 alchemy",
"as14061",
"as16276",
"trojandropper",
"ransom",
"mtb sep",
"msie",
"chrome",
"ip check",
"gmt content",
"pulse submit",
"url analysis",
"files ip",
"aaaa nxdomain",
"nxdomain",
"a nxdomain",
"as22612",
"dnssec",
"meta http",
"accept encoding",
"request id",
"united kingdom",
"div div",
"arial helvetica",
"emails",
"as15169 google",
"cryp",
"gmt cache",
"sameorigin",
"domain name",
"code",
"false",
"command type",
"roleselfservice",
"mcig sep",
"all search",
"author avatar",
"days ago",
"http",
"related nids",
"files location",
"as30081",
"gmt contenttype",
"mozilla",
"as15133 verizon",
"whitelisted",
"meta name",
"robots content",
"x ua",
"ieedge chrome1",
"incapsula",
"request",
"softcnapp",
"overview ip",
"flag united",
"files related",
"as62597 nsone",
"as31898 oracle",
"mtb aug",
"class",
"twitter",
"april",
"secure",
"httponly",
"expiresthu",
"pragma",
"as13414 twitter",
"smoke loader",
"reverse dns",
"asnone united",
"idlogin sep",
"uid38009",
"expiration",
"hack type",
"porn type"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Italy",
"Aruba"
],
"malware_families": [
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "Artro",
"display_name": "Artro",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1096",
"name": "NTFS File Attributes",
"display_name": "T1096 - NTFS File Attributes"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1110",
"name": "Brute Force",
"display_name": "T1110 - Brute Force"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 53,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3850,
"FileHash-MD5": 6012,
"FileHash-SHA1": 5906,
"domain": 3329,
"email": 33,
"hostname": 4231,
"CVE": 2,
"FileHash-SHA256": 8407,
"CIDR": 2,
"SSLCertFingerprint": 7
},
"indicator_count": 31779,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 236,
"modified_text": "576 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "fmgirl.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "fmgirl.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1780214916.7355697
}