{ "type": "Domain", "indicator": "foo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/foo.com", "alexa": "http://www.alexa.com/siteinfo/foo.com", "indicator": "foo.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain foo.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2904786498, "indicator": "foo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5d5e3505dead54faab143", "name": "com.apple.security.sos.error.com", "description": "....sos", "modified": "2026-04-02T23:13:44.625000", "created": "2026-03-02T18:24:35.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 139, "domain": 113, "URL": 126, "FileHash-MD5": 91, "FileHash-SHA1": 72, "FileHash-SHA256": 777, "CIDR": 3 }, "indicator_count": 1321, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b67fcb32a370a5be555e6c", "name": "VirusTotal report\n for od-sugar-mail-email-app-mod-apk-pro-unlocked-1-4-329-329.apk", "description": "I don't own an android. \"not malicious\" \"Requests potentially dangerous permissions\" smh. Defense Evasion\nT1421 System Network Connections Discovery confidence: medium\nT1422 System Network Configuration Discovery confidence: medium\nT1430 Location Tracking confidence: medium\nT1418 Software Discovery confidence: medium\nT1426 System Information Discovery confidence: medium\nT1424 Process Discovery confidence: medium\nDiscovery\nT1430 Location Tracking confidence: medium\nT1518.001 Security Software Discovery confidence: low\nT1409 Stored Application Data confidence: medium\nNetwork Info", "modified": "2026-03-15T10:27:15.864000", "created": "2026-03-15T09:45:47.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 76, "hostname": 20, "domain": 16 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f33233092ab19b74879403", "name": "MacOS M2 Chip Infiltration: Game Center & XBOX Pod Game & Chat Server", "description": "pulse explores a variety of files, objects, and functions that could be associated with different system components, libraries, and protocols. It highlights a wide range of potential vulnerabilities that may exist in software related to system functions, APIs, data handling, and device interactions, including issues in devices like game controllers, HID devices, and platform-specific services (such as Apple and Android). The pulse references several components across different platforms (macOS, iOS, ARM architectures, and others), with a focus on low-level code, encryption libraries, system utilities, and network protocols like TCP, IP, and Bluetooth. The identified vulnerabilities could involve buffer overflows, deprecated functions, improper memory handling, and potential exploit vectors related to system security, performance, and integrity.", "modified": "2025-05-07T02:03:20.735000", "created": "2025-04-07T02:02:27.322000", "tags": [ "helper macro", "param", "param inccache", "kerberos", "ccache", "api function", "ccapi", "api version", "param ioccache", "ccacheserver", "win32", "null", "code", "win64", "error", "union", "ccapideprecated", "ccacheapi", "ccapiv2h", "apple", "export", "united", "ccache api", "cplusplus", "x8664", "typedef", "patheq", "none", "popen", "terminate", "false", "winenv", "winexe", "frozen", "winservice", "python", "posixthreads", "pyhavecondvar", "ntthreads", "vista", "pyemulatedwincv", "ntddivista", "semaphore", "pycondt", "win7", "pybuildcore", "fall", "copyright", "technology", "all rights", "reserved", "america", "government", "within that", "klprincipal", "klloginoptions", "inpassword", "klboolean", "klindex inindex", "login", "klstatus", "kerberos login", "inst", "regexp", "typeof e", "function", "typeof t", "typeof o", "width", "typeof", "pseudo", "body", "sticky", "date", "class", "this", "void", "accept", "span", "krb5callconv", "apoptsreserved", "tktflgreserved", "kdcoptreserved", "krb5data", "eblock", "krb5address", "krb5keyblock", "service", "realm", "format", "general", "internal", "entropy", "mask", "mcpeerid", "mcsession", "property", "protocol", "create", "nsuinteger", "notifies", "mcsession api", "interface", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "bonjour apis", "stop", "peer", "example", "tags", "session", "nsprogress", "nserror", "nsstring", "nsurl", "nsarray", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "webpackrequire", "webpackexports", "object", "adobe systems", "adobe", "incorporated", "dissemination", "touchmove", "window", "launch", "close", "core", "webview", "nwebpackrequire", "arraybuffer", "name", "typedarray", "prototype", "string", "number", "nvar", "meta", "infinity", "generator", "zero", "epsilon", "observer", "android", "freeze", "trim", "canvas", "simple", "bind", "fast", "next", "patch", "rest", "middle", "find", "enumerate", "facebook", "executor", "apiunavailable", "gamecontroller", "gcbuttoninput", "gcswitchinput", "nsobject", "apiavailable", "hid device", "cfstr", "iohiddeviceref", "boolean value", "c iohidmanager", "iohidmanager", "c iohiddevice", "issequential", "bool sequential", "bool canwrap", "nsset", "nsunavailable", "gcswitchelement", "bool", "share button", "xbox controller", "xbox elite", "xbox series", "gcxboxgamepad", "gcpoint2", "gcpoint2make", "gcpoint2 p", "cfinline bool", "gcpoint2equal", "gcpoint2 point1", "gcpoint2 point2", "gcrelativeinput", "isanalog", "bool analog", "hasinclude", "gcaxis2dinput", "gcpoint2 value", "gcaxiselement", "certain", "gcaxisinput", "gcbuttonelement", "gccontroller", "nsnotification", "chhapticengine", "gcmicrogamepad", "input", "menu button", "gcdevicelight", "gccolor", "x axis", "xvalue", "developers", "functionality", "options button", "sf symbols", "elements", "gcdevice", "gctouchstate", "gctouchstateup", "apideprecated", "gckeyboard", "gcmouse", "nsswiftname", "gcdevicebattery", "battery level", "direction pad", "directionapad", "thumbstick", "gcdevicecursor", "a controller", "gccolor color", "gcinputbuttona", "gcinputbuttonb", "button b", "check", "a element", "c nil", "nsenumerator", "siri remote", "equivalent", "down", "left", "right", "kindof", "handle button", "c device", "immediate input", "dualsense", "positional", "sony dualsense", "gcmotion", "dualshock", "uievent", "controllers", "uikit user", "uiview", "method", "nsdata", "axes", "nsdata source", "return", "nullable", "nsdata object", "button", "shoulder", "extended", "gamepad profile", "nsdata api", "gcgamepad", "sizeof", "standard", "gckeyboardinput", "keyboard", "nsstring const", "controller", "back buttons", "game controller", "back", "keypad", "delete", "insert", "home", "right arrow", "left arrow", "down arrow", "up arrow", "korean", "backspace", "alongside", "gckeyuparrow", "gckeycode const", "lang1", "gclinearinput", "gcquaternion", "gcacceleration", "y axis", "z axis", "gcmouse mouse", "gcmouse class", "mice", "gcmouseinput", "mouse profile", "scroll", "nsdata instance", "a alias", "press", "micro profile", "siri remotes", "b button", "a gcinput", "button a", "nsoptions", "examining", "c sfsymbolsname", "apple tv", "remote", "control center", "a set", "game", "gcracingwheel", "gcbundlewithpid", "gcinputbuttonx", "gcinputbuttony", "gcinputshifter", "gckeya", "gckeyb", "gckeybackslash", "rawvalue", "apple swift", "o librarylevel", "swift import", "element", "indices", "iterator", "subsequence", "kerberoscomerr", "const", "permission", "mit software", "suitability", "athena", "openvision", "gssdllimp", "gssapigenerich", "this software", "purpose", "disclaims all", "warranties with", "regard to", "constraint", "kerberosprofile", "krb5profileh", "const names", "newvalue", "1429577728l", "gnuc", "mach", "omuint32", "gssapikrb5h", "form", "uid form", "client function", "asrep", "including", "preauth", "db entry", "free", "pointer", "rock", "neither", "direct", "damage", "minorstatus", "gssbuffert", "gssctxidt", "gssoid", "gssnamet", "gsscredidt", "gssoidset", "gssapi", "first", "alcapi", "alcapientry", "alcboolean", "targetosmac", "alcdevice", "alcenum param", "alalch", "alcchar", "alcsizei", "capture", "but not", "limited", "openal cross", "apple computer", "redistribution", "is provided", "type", "alvoid", "alint", "openal", "aluint sid", "alenum", "alint value", "aluint property", "alvoid nonnull", "alfloat", "write", "openalopenalh", "umbrella header", "alenum param", "alapi", "aluint bid", "alsizei", "alfloat value", "alapientry", "aluint", "verify", "play", "speed", "bits", "albuffer3i", "albufferdata", "albufferf", "albufferfv", "albufferi", "albufferiv", "aldistancemodel", "aldopplerfactor", "algetbooleanv", "algetbuffer3f", "iousbhostdevice", "iousbhostobject", "iousbhostpipe", "iousbhoststream", "iousbhost", "brief", "usb host", "bool yes", "bool no", "advance", "iousbhostfamily", "kernel", "ioreturn status", "nsnumber", "ioreturn error", "usb device", "select", "commands", "enqueue", "nsmutabledata", "field", "enum", "options", "retrieve", "iosource", "current address", "bos descriptor", "extract", "a descriptor", "license", "io request", "abort", "discussion", "stream", "please", "swift api", "iousbbitrange", "iousbbitrange64", "iousbbit", "client", "usb controller", "usb descriptor", "unknown", "critical", "refer", "link", "send", "same", "common ui", "bluetooth", "service browser", "option", "1001", "cfstringref", "deprecated", "macos", "returns", "abstract", "nswindow", "creates", "mac os", "uuids", "uuid", "sdp service", "nsimage", "nsview", "mpasskeystring", "nsmutablearray", "uuid array", "ioreturn", "runmodal", "group", "command", "byte", "masks", "pduid", "l2cap", "range", "opcode", "packet", "major", "local", "profiles", "iobluetooth", "framework", "support", "host controller", "rfcomm", "minor class", "pseudoclass", "specific device", "headset", "peripheral", "desktop", "glasses", "device reset", "no hci", "hci controller", "returns number", "variable number", "packdata", "cstring", "pass", "path", "deprecated in", "obex session", "obexsessionref", "rfcomm channel", "obex", "does not", "l2cap channel", "inrefcon", "device", "length", "obex spec", "error code", "make", "headerid", "april", "alarm", "avrcplog", "audiolog", "bccmd16touint16", "bccmd16touint8", "bccmd32touint32", "hfplog", "obexcreatevcard", "obexsessionget", "uint16tobccmd16", "intents", "created", "andrea gottardo", "inimage", "intentsui", "project version", "inshortcut", "ibdesignable", "invoiceshortcut", "nsbundle", "siri", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "ldap", "vdspinput1", "vectorsize", "iirchannel", "osvkerndsplib", "pragmaonce", "paul chang", "fri mar", "original code", "apple operating", "modifications", "apple public", "source license", "version", "lframesize", "i386", "picify", "callmcount", "nonlazystub", "align", "roundtostack", "leaf", "import", "carnegie mellon", "carnegie", "inline void", "software", "school", "august", "xnuarchi386selh", "next computer", "mike demoney", "bruce martin", "state segment", "nxswappedfloat", "osswapint32", "inline float", "inline double", "osswapint64", "armlimitsh", "arm64", "useclangtypes", "bsdarmtypesh", "int8t", "gnuc typedef", "uint8t", "ansi c", "ansi", "use wchart", "armmcontexth", "mcontextt", "armparamh", "round", "darwinsizet", "darwinalign", "uint32t", "darwinalign32", "warranties", "a particular", "university", "armarch6zk", "armarch6k", "armarch4t", "armarch4", "http", "capbitnb", "legacy", "armfeatureflag", "california", "notice", "berkeley", "limited to", "define", "useclanglimits", "lp64", "ansisource", "darwincsource", "longmin", "ulongmax", "parameter", "vmmemcoherent", "vmmemearlyack", "vmmeminner", "vmmemrt", "vmmemguarded", "armmemorytypesh", "armpalroutinesh", "read", "struct", "booleant", "cluster", "devbsize", "mclbytes", "unix system", "laboratories", "devbshift", "thumb", "armv5", "armv7", "cache", "neon", "swift", "bsdarmprofileh", "xxx todo", "block", "mcount", "mcountinit", "mcountenter", "splhigh", "armthreadh", "armtraph", "dflssiz", "targetososx", "maxssiz", "rliminfinity", "maxcsiz", "bsdarmvmparamh", "dfldsiz", "maxdsiz", "xxx stack", "armsignal", "int64t", "armmachtypesh", "int32t", "methods", "thread", "hasapplepac", "atmatmtypesh", "libkernlocksh", "fortifysource", "libkerncopyioh", "sizedby", "darwinosinline", "stdcversion", "osswapint16", "libkerncrch", "blockexport", "vaargs", "blockrelease", "blockh", "collection", "blockcopy", "ososbaseh", "base", "byteoffset", "host endianess", "generic host", "generic", "osmalloc", "osmalloctag tag", "osmalloctag", "pci device", "uint32", "uint32 mask", "safecastptr", "sint32", "osaddatomic64", "uint8", "libkern c", "internal error", "core osreturn", "libkern", "values", "pragmamark", "kexts", "kext", "c string", "grab", "osostypesh", "boolean", "unsignedwide", "uint32 hi", "buildtime value", "libkernversionh", "versionmajor", "versionminor", "versionvariant", "versionrevision", "ostype", "osrelease", "libkernsysctlh", "instructions", "data cache", "future", "rbleft", "rbright", "rbgetparent", "splayright", "splayleft", "rbsetcolor", "rbblack", "rbgetcolor", "comp", "main", "stdc", "msdos", "windows", "sys16bit", "zlibdll", "zextern", "zconfh", "model", "zextern int", "zstreamerror", "znull", "zbuferror", "zmemerror", "zstreamend", "zdataerror", "zfinish", "enough", "possible", "trailer", "compiler", "countedby", "sparta", "osatomic", "ipcipctypesh", "ipcobjectnull", "ipcobjectdead", "osreturn", "nfskrpch", "xdrbuf", "xdrbuf xbp", "xbptr", "xbleft", "tlen", "lval", "xbcleanup", "xbtype", "xbflags", "nfsargsversion", "file", "packed", "nfshz", "mount", "term", "restrict", "stats", "nfsbitmapset", "nfsver3", "nfsxunsigned", "attr", "nfsprogram", "nfssmallfh", "which", "from", "mark", "obsolete", "ip address", "iaddrt", "netinetbootph", "nvmaxtext", "magic", "etheraddrlen", "target", "byteorder", "bigendian", "littleendian", "dest", "igmp", "ushort", "inpcbptr", "inpcblistentry", "ipsec", "pcbs", "cookie", "netinetinstath", "minimal", "result", "arp packet", "icmpparamprob", "icmpredirect", "address", "ditto", "ip filter", "ipv4", "ip packet", "inject", "wifi", "server", "tcpmaxnotifyack", "wired", "ecn setup", "notify", "slow", "definitions", "tcptmax", "retransmit", "mptcp", "tcpsclosewait", "tcpsestablished", "tcpstimewait", "tcpseq", "timer drift", "sack", "char", "icmp", "synack", "tcpoptnop", "syndata", "ver", "internet", "iopcidevice", "constant", "perst", "localonly", "iooptionbits", "optional access", "ioservice", "open", "pcidriverkith", "osmetaclassbase", "iorpc rpc", "auditpipeiobase", "auditsdeviobase", "ioctls", "data", "the software", "stdargh", "hasincludenext", "eli friedman", "as is", "hack", "atomic", "atomicseqcst", "clangstdatomich", "stdchosted", "stdboolh", "needwintt", "stddefh", "hasbuiltin", "const src", "xnumembersize", "const dst", "wcharmax", "wcharmin", "limits", "kernelstdinth", "lp64 typedef", "intmaxc", "uintmaxc", "ptrauth", "olddata", "value", "declkey", "abi pointer", "c function", "float16", "fltevalmethod", "legacy bsd", "c standard", "sincospi", "cosp", "x8664monotonich", "staticifentry", "hasmte", "vmmemorytypesh", "vmwimgdefault", "wimg", "extvectortype", "utilfunction", "aligned", "srcptr", "vmpmaph", "vmdyldpagerh", "vmvmfaulth", "vmvmmaph", "development", "debug", "vmvmoptionsh", "vmvmpageouth", "kasantbi", "machvmmemtagh", "given", "vmmemtagptrsize", "vmmemtagtagsize", "copy", "vmsharedregionh", "vfsvfssupporth", "veclib", "master", "world wide", "various", "veclibtypes", "carbonlib", "availability", "carbon", "noncarbon cfm", "vbasicops", "shift", "vforceh", "vdsplength n", "realp", "nonnull", "vector", "dspsplitcomplex", "ieee", "dspcomplex", "uuiduuidh", "uuiddefine", "public", "uuid library", "kernelserver", "simpleroutine", "undkey", "execution", "strings array", "user", "title string", "info", "1024", "xmldatat", "undreplyref", "kernsuccess", "osaction", "targetosiphone", "istargetvendor", "targetcpux8664", "targetosunix", "targetcpuppc", "targetcpuppc64", "targetcpux86", "targetrtmaccfm", "bridge", "svflags", "svpavreal", "svpavreify", "xpvav", "svany", "avfillp", "for apidoc", "mutableav", "avrealoff", "pltopenv", "stmtstart", "stmtend", "copfile", "plcurstackinfo", "copfilegv", "cophinthashget", "loop", "stack", "beware", "orig", "loops", "this file", "the build", "plbitcount", "u8 value", "cvflags", "xpvcv", "mutableptr", "perlcore", "cvgv", "cvfile", "cvfmethod", "cvflvalue", "cvfconst", "anon", "doinit extconst", "ebcdic", "extconst u8", "index", "ascii platform", "confusingly", "u8 pla2e", "pla2e", "u8 ple2a", "guard", "declspec", "extconst", "ext externc", "init", "larry wall", "gnu general", "readme file", "multiplicity", "plsawampersand", "do not", "perliogetc", "perlioputc", "perliostdoutf", "perlio", "perlfeatureh", "featuresubbit", "featuremyrefbit", "featurefcbit", "featureisabit", "featuresaybit", "featurestatebit", "featuretrybit", "hintfeaturemask", "ffspace", "process", "ffdecimal", "ffend", "gvgp", "gvflags", "gvnamehek", "svtype", "gvegv", "gvstash", "gvxpvgv", "svtpvgv", "svtpvlv", "super", "edit directly", "djgpp", "bitbucket", "perlsysinitbody", "perlioinit", "perlsystermbody", "w macros", "wexitstatus", "shpath", "mkdir", "rotl64", "rotl32", "rotate x", "rotr32", "can64bithash", "rotr64", "ivsize", "u8to16le", "rotluv", "rotruv", "sbox32maxlen", "plhashstate", "perlhash", "perl", "usehashseed", "perlseenhvfunch", "perlhashseed", "siphash24", "siphash13", "seed", "c program", "c type", "c compiler", "gcc attribute", "longsize", "c preprocessor", "install", "kill", "cont", "thus", "ext declspec", "dext", "for apidocitem", "utf8", "ascii", "fitsin8bits", "nativetolatin1", "strwithlen", "u8 end", "test", "poison", "february", "cray", "prior", "behaviour", "except", "alpha", "perlvar", "perlvari", "perlvara", "padoffset", "true", "pmop", "hooks", "hook", "sv invlist", "perlinregcompc", "svcur", "perlinopc", "tointernalsize", "svtinvlist", "invlistlen", "strlen", "hvaux", "heklen", "svook", "hekutf8", "hekkey", "hekflags", "mutablehv", "hvnameheknn", "gosh", "leave", "iperlsock", "plsock", "iperlstdio", "plstdio", "iperlproc", "plproc", "iperllio", "pllio", "perlimplicitsys", "plink", "keypackage", "keyend", "keysub", "keydump", "keylog", "keysend", "keystate", "perlioclose", "perlmemcollxfrm", "nativetoneed", "plclocaleobj", "plno", "plwarnall", "plwarnnone", "plyes", "plzero", "plc9utf8dfatab", "nomathoms", "perlintokec", "perlinutf8c", "perlinsvc", "perlinregexecc", "debugging", "perlinlocalec", "pfinet", "snoop", "ccprint", "ccgraph", "cccharnamecont", "ccascii", "ccwordchar", "ccalphanumeric", "ccidfirst", "ccquotemeta", "ccalpha", "cccased", "ordinal", "magicvtablemax", "extra", "regex match", "env hash", "isa array", "debugger", "sig hash", "available", "shadow", "array length", "magic mg", "sv sv", "mgftainteddir", "hefsvkey", "mutablesv", "ssizet", "mgvtbl entry", "mgfbytes", "perlmagicsv 0", "special", "perlmagicarylen", "perlmagicrhash", "extra data", "perlmagicpos", "perlmagicsymtab", "provides", "dtrace probes", "stdioh", "stdioincluded", "sfioversion", "rxfpmfcharset", "rxfpmfmultiline", "rxfpmffold", "rxfpmfextended", "rxfpmfnocapture", "rxfpmfkeepcopy", "flags", "rxfpmfstrict", "ocshift", "plop", "perlbitfield16", "baseop op", "useithreads", "pmfonce", "padop", "perlcknull", "perlckfun", "opparg1mask", "opparg4mask", "opparg2mask", "perlckftst", "perlppftrowned", "perlckbitop", "perlckcmp", "perlcklfun", "dump", "chroot", "syscall", "flip", "undef", "crypt", "push", "stub", "trans", "predec", "flop", "prtf", "shutdown", "perlcontext cx", "perlmemlog", "c pointer", "cxtype", "logic", "toavamg", "tohvamg", "opftrread", "oplt", "opincmp", "opbitand", "opsbitor", "opsend", "opgetpeername", "opfteexec", "opftbinary", "opclose", "plparser", "yylex", "lexshared", "position", "repl", "memsize", "malloct", "perlmallocctlh", "uv nfree", "uv ntotal", "iv topbucket", "iv totalsbrk", "iv minbucket", "level", "plcomppad", "plcurpad", "uvxf", "ptr2uv", "avarray", "padnameflags", "plcopseqmax", "padlistarray", "c array", "padnametype", "incpushperl5lib", "appllibexp", "privlibexp", "defineincmacros", "perlfsversion", "perl5lib", "sitearchexp", "perllanginfoh", "hasnllanginfo", "ilanginfo", "codeset", "codeset 1", "dtfmt", "dtfmt 2", "dfmt", "dfmt 3", "sipround", "u8to64le", "fallthrough", "uint64c", "perlsiphashfnc", "siprounds", "strlen inlen", "sipfinalrounds", "could", "configure", "plout", "mine001", "argv", "plin", "localpatchcount", "perlapih", "xs code", "portingglossary", "first version", "brand", "symbols", "haswcrtomb", "perlionotstdio", "perlcallconv", "perlio f", "perlioh", "usestdio", "case", "bufsiz", "sizet", "perlstability", "perltypedefs", "perldtracehin", "perlloadedfile", "perlloadingfile", "perlopentry", "perlphasechange", "perlsubentry", "perlsubreturn", "generated", "perlcallconv iv", "sizet count", "sv arg", "mode", "perliofuncs tab", "stdchar", "perliolistt", "sv args", "mutex", "perlinterpreter", "sigsize", "perlioisstdio", "perlcallconv op", "perldokv", "perlppaassign", "perlppabs", "perlppaccept", "perlppadd", "perlppaeach", "perlppaelem", "public license", "free software", "foundation", "yydebug", "bison", "bareword", "funcmeth", "arrow", "targ", "pushs", "tops", "does", "xsub", "pops", "xpushs", "erange", "perlreentrapi", "perlreentrapi0", "hostentsize", "getgrentrproto", "getpwentrproto", "getnetentrproto", "grentbuffer", "grentsize", "hostenterrno", "redebugflag", "debugvtest", "debugr", "u16 nextoff", "argset", "u8 type", "nextoff", "strings", "problem", "june", "invert", "perlfpclass", "longdoublekind", "plstatusvalue", "pldebug", "numclasses", "locale", "grok", "pragma", "dword", "attack", "little", "lynx", "done", "reany", "rxpextflags", "rxextflags", "checkpoint cp", "rxftaintedseen", "rxfcopydone", "plsavestackix", "plsavestack", "plsavestackmax", "ssmaxpush", "enter", "debugscope", "state", "u32 state", "debugsbox32hash", "sbox32warn5", "line", "mutexunlock", "mutexinit", "noop", "mutexlock", "condinit", "detach", "panic", "usetm64", "should", "bsd extension", "configuration", "time64debug", "int64t nv", "gnu extension", "perltime64h", "time64t", "int64t int64", "int64 time64t", "i32 year", "tm64", "hastmtmgmtoff", "decide", "svpvx", "svgmagic", "bonk", "anything", "turn", "crash", "fstat", "perlmicro", "hasioctl", "hasutime", "hasgroup", "haspasswd", "usemybinmode", "idirent", "likely", "generated code", "utfebcdic", "unicode", "step", "ufeff", "u00a0", "u00df", "u00b5", "ufffd", "u017f", "u0300", "unlikely", "nativeutf8toi8", "utf8skip", "nativetouni", "lazy", "extrasize", "regnodemax", "exact", "match", "whilem", "anyof", "curly", "trie", "curlym", "eval", "star", "perlutilh", "hsmapiverlen", "hsxsverlenmax", "hskeyp", "tools", "sv vs", "perlversionlt", "svpvxnolenconst", "perlckwarner", "u32 err", "scroakxsusage", "pluumap", "warnings", "categories", "plcurcop", "perlckwarn", "perlckwarnd", "perlwarnisset", "perlwarnoff", "perlwarnbit", "xsversion", "xsreturn", "perlxshandshake", "plstackbase", "hskey", "zaphod32mix", "u8to32le", "zaphod32warn4", "zaphod32warn3", "zaphod32warn6", "perlform", "i8tonativeutf8", "warnutf8", "myshift", "c extension", "libs", "cflags", "afkuserlog", "kafkeventcancel", "kafkeventerror", "adamsbagmanager", "adjinglerequest", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "hostconfig", "addtofront", "calcslope", "copyarray", "createcachenode", "defaultebecurve", "deletecache", "disablehcucache", "dumpcache", "dumpoutputhcu", "enablet1sim", "ascagent", "ascagentproxy", "asdevice", "ddrangecompare", "wdosloglauncher", "wdoslogprotocol", "findchar", "ddasllogger", "ddfilelogger", "ddlog", "ddlogfileinfo", "ddlogmessage", "ddloggernode", "mkurlparser", "mkerrordomain", "mkintegerhash", "mklonghash", "mkmaprectinset", "mkmaprectnull", "mkmaprectoffset", "mkmaprectworld", "mkmapsizeworld", "kextensionnonui", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webkit", "methodkind", "wkerrordomain", "by apple", "document", "a block", "wkcontentworld", "wkwebview", "javascript", "wkerrorcode", "wkerrorunknown", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "nshttpcookie", "whether", "wknavigation", "wkdownload", "decides", "mime type", "wkscriptmessage", "wkframeinfo", "information", "url scheme", "wkcontentmode", "wkuserscript", "wkextern", "media", "promise", "fulfill", "cgfloat", "targetoswatch", "sign", "password", "provider", "uicontrol", "nscontrol", "opaque user", "apple id", "nsstring user", "asuseragerange", "initiate", "asauthorization", "confirms", "apple upgrade", "nserrorenum", "operation", "relying party", "targetosvision", "a byte", "nsdata userid", "relying", "a string", "asapiavailable", "http response", "authorization", "oauth", "saml", "nsdata readdata", "bool didwrite", "a cose", "nsstring name", "bool appid", "targetosxr", "a state", "a json", "web token", "private seckeys", "nsstring appid", "mdm profile", "nsurl url", "returns yes", "lacontext", "asswiftsendable", "keychain", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nsinteger rank", "enables", "bool success", "remove", "call", "complete", "prepare", "attempt", "list", "nsextension", "settings", "initializes", "a key", "extensions", "hash", "json", "initialize", "nsstring origin", "settings app", "urls", "https urls", "safari", "cancel", "nsuuid uuid", "asextern extern", "asextern", "nsswiftsendable", "uiwindow", "propertykind", "gkplayer", "n tags", "gkerrordomain", "gamecenter", "targetosios", "targetostv", "nsavailable", "gkachievement", "local player", "view", "present", "optional", "gkbaseplayer", "game center", "uiimage", "app store", "gkchallenge", "gklocalplayer", "nsdeprecated", "a singleton", "gkcloudplayer", "returns nil", "nsdeprecatedmac", "internal2", "internal3", "internal4", "gkscore", "gkextern", "gkextern extern", "gkexternweak", "gkerrorcode", "gkerrorunknown", "gkerrorunderage", "friendplayer", "standard view", "nsresponder", "parentwindow", "ibaction", "gkgamesession", "apis", "gkplayer player", "nsinteger score", "nsdate date", "gkleaderboard", "connect", "nsinteger value", "load", "gktransporttype", "nsstring title", "loads array", "localized", "gkmatch", "gkmatchrequest", "gkinvite", "gksession", "gksession api", "gamekit", "asynchronously", "welcome", "nstimeinterval", "delegate", "delivery", "gksenddatamode", "gksessionmode", "gkphotosize", "callbacks", "gkmatchdelegate", "gksavedgame", "default value", "gksessionerror", "gkvoicechat", "participant", "voice chat", "clienta" ], "references": [ "CredentialsCache.h", "CredentialsCache2.h", "config.xml", "popen_spawn_win32.py", "pycore_condvar.h", "Kerberos.h", "KerberosLogin.h", "plugin.js", "krb5.h", "MultipeerConnectivity.tbd", "MCBrowserViewController.h", "MCNearbyServiceAdvertiser.h", "MCError.h", "MCAdvertiserAssistant.h", "MCNearbyServiceBrowser.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCPeerID.h", "canvas.html", "capture_0.bundle.js", "capture_resize.js", "GCRacingWheelInput.h", "GCSyntheticDeviceKeys.h", "GCSwitchPositionInput.h", "GCSteeringWheelElement.h", "GCSwitchElement.h", "GCTouchedStateInput.h", "GCXboxGamepad.h", "GCTypes.h", "GCRelativeInput.h", "GameController.h", "GCAxis2DInput.h", "GCAxisElement.h", "GCAxisInput.h", "GCButtonElement.h", "GCController.h", "GCColor.h", "GCControllerAxisInput.h", "GCControllerDirectionPad.h", "GCControllerInput.h", "GCControllerElement.h", "GCControllerTouchpad.h", "GCDevice.h", "GCDeviceBattery.h", "GCDeviceCursor.h", "GCDeviceHaptics.h", "GCDeviceLight.h", "GCDevicePhysicalInputState.h", "GCDevicePhysicalInputStateDiff.h", "GCDirectionalGamepad.h", "GCDirectionPadElement.h", "GCDevicePhysicalInput.h", "GCDualSenseAdaptiveTrigger.h", "GCDualSenseGamepad.h", "GCDualShockGamepad.h", "GCEventViewController.h", "GCExtendedGamepadSnapshot.h", "GCExtern.h", "GCExtendedGamepad.h", "GCGamepadSnapshot.h", "GCGearShifterElement.h", "GCGamepad.h", "GCKeyboard.h", "GCInputNames.h", "GCControllerButtonInput.h", "GCKeyNames.h", "GCKeyboardInput.h", "GCKeyCodes.h", "GCLinearInput.h", "GCMotion.h", "GCMouse.h", "GCMouseInput.h", "GCMicroGamepadSnapshot.h", "GCPhysicalInputElement.h", "GCMicroGamepad.h", "GCPhysicalInputProfile.h", "GCPhysicalInputSource.h", "GCPressedStateInput.h", "GCProductCategories.h", "GCRacingWheel.h", "GameController.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-macos.swiftinterface", "module.modulemap", "com_err.h", "gssapi_generic.h", "locate_plugin.h", "profile.h", "gssapi_krb5.h", "preauth_plugin.h", "gssapi.h", "alc.h", "oalStaticBufferExtension.h", "oalMacOSX_OALExtensions.h", "OpenAL.h", "al.h", "OpenAL.tbd", "IOUSBHost.tbd", "IOUSBHostCIEndpointStateMachine.h", "IOUSBHostCIControllerStateMachine.h", "IOUSBHost.h", "IOUSBHostCIPortStateMachine.h", "IOUSBHostCIDeviceStateMachine.h", "IOUSBHostControllerInterfaceHelpers.h", "IOUSBHostDevice.h", "IOUSBHostControllerInterface.h", "IOUSBHostDefinitions.h", "IOUSBHostInterface.h", "IOUSBHostIOSource.h", "AppleUSBDescriptorParsing.h", "IOUSBHostStream.h", "IOUSBHostObject.h", "IOUSBHostControllerInterfaceDefinitions.h", "IOUSBHostPipe.h", "IOBluetoothUIUserLib.h", "IOBluetoothUI.h", "IOBluetoothObjectPushUIController.h", "IOBluetoothDeviceSelectorController.h", "IOBluetoothPasskeyDisplay.h", "IOBluetoothPairingController.h", "IOBluetoothServiceBrowserController.h", "IOBluetoothUI.tbd", "Bluetooth.h", "IOBluetooth.h", "BluetoothAssignedNumbers.h", "IOBluetoothTypes.h", "IOBluetoothUtilities.h", "OBEXBluetooth.h", "IOBluetoothUserLib.h", "OBEX.h", "IOBluetooth.tbd", "INImage+IntentsUI.h", "IntentsUI.h", "INUIAddVoiceShortcutButton.h", "IntentsUI.apinotes", "INUIEditVoiceShortcutViewController.h", "INUIAddVoiceShortcutViewController.h", "LDAP.tbd", "OSvKernDSPLib.h", "cpu.h", "asm_help.h", "desc.h", "pio.h", "io.h", "sel.h", "reg_help.h", "tss.h", "table.h", "byte_order.h", "_limits.h", "_types.h", "_mcontext.h", "_param.h", "_endian.h", "arch.h", "cpuid_internal.h", "cpu_capabilities_public.h", "arm_features.inc", "endian.h", "locks.h", "limits.h", "atomic.h", "machine_cpuid.h", "memory_types.h", "pal_routines.h", "machine_routines.h", "param.h", "cpuid.h", "thread.h", "trap.h", "vmparam.h", "signal.h", "types.h", "AFKMemoryDescriptorOptions.h", "machine_machdep.h", "atm_types.h", "copyio.h", "_OSByteOrder.h", "crc.h", "Block.h", "OSBase.h", "OSByteOrder.h", "OSDebug.h", "OSMalloc.h", "OSAtomic.h", "OSReturn.h", "OSKextLib.h", "OSTypes.h", "version.h", "sysctl.h", "tree.h", "zconf.h", "zlib.h", "libkern.h", "kdp_callout.h", "kdp_en_debugger.h", "ipc_types.h", "krpc.h", "rpcv2.h", "xdr_subs.h", "nfs.h", "nfsproto.h", "bootp.h", "if_ether.h", "icmp6.h", "icmp_var.h", "igmp_var.h", "igmp.h", "in_pcb.h", "in_stat.h", "in_private.h", "in_arp.h", "in_var.h", "in_systm.h", "ip_var.h", "ip_icmp.h", "kpi_ipfilter.h", "ip6.h", "tcp_private.h", "ip.h", "tcp_timer.h", "tcp_fsm.h", "udp_var.h", "tcp_seq.h", "tcpip.h", "udp.h", "tcp_var.h", "tcp.h", "IOPCIFamilyDefinitions.h", "IOPCIDevice.iig", "PCIDriverKit.h", "IOPCIDevice.h", "audit_ioctl.h", "stdarg.h", "stdatomic.h", "stdbool.h", "stddef.h", "string.h", "stdint.h", "ptrauth.h", "math.h", "monotonic.h", "static_if.h", "machine_kpc.h", "machine_remote_time.h", "ipc_pthread_priority_types.h", "lz4_assembly_select.h", "vm_compressor_algorithms.h", "lz4.h", "pmap.h", "vm_dyld_pager.h", "vm_far.h", "vm_fault.h", "vm_map.h", "lz4_constants.h", "vm_options.h", "vm_pageout.h", "vm_memtag.h", "vm_shared_region.h", "vm_kern.h", "vfs_support.h", "vecLib.h", "vecLibTypes.h", "vBasicOps.h", "vForce.h", "vDSP.h", "uuid.h", "UNDReply.defs", "UNDRequest.defs", "KUNCUserNotifications.h", "UNDTypes.defs", "UNDTypes.h", "TargetConditionals.h", "apfs_boot_mount.tbd", "av.h", "cop.h", "bitcount.h", "cv.h", "ebcdic_tables.h", "EXTERN.h", "embedvar.h", "fakesdio.h", "feature.h", "form.h", "gv.h", "git_version.h", "dosish.h", "hv_macro.h", "hv_func.h", "config.h", "INTERN.h", "handy.h", "intrpvar.h", "invlist_inline.h", "hv.h", "iperlsys.h", "keywords.h", "libperl.tbd", "embed.h", "l1_char_class_tab.h", "mg_data.h", "mg_raw.h", "mg.h", "mg_vtable.h", "mydtrace.h", "nostdio.h", "op_reg_common.h", "op.h", "opcode.h", "inline.h", "overload.h", "opnames.h", "parser.h", "malloc_ctl.h", "pad.h", "perl_inc_macro.h", "perl_langinfo.h", "perl_siphash.h", "patchlevel.h", "perlapi.h", "metaconfig.h", "perlio.h", "perldtrace.h", "perliol.h", "perlvars.h", "perlsdio.h", "pp_proto.h", "perly.h", "pp.h", "reentr.h", "regcomp.h", "perl.h", "regexp.h", "scope.h", "sbox32_hash.h", "time64_config.h", "time64.h", "sv.h", "unixish.h", "uconfig.h", "utfebcdic.h", "unicode_constants.h", "utf8.h", "regnodes.h", "util.h", "vutil.h", "uudmap.h", "warnings.h", "XSUB.h", "zaphod32_hash.h", "encode.h", "python-3.9.pc", "python-3.9-embed.pc", "python3-embed.pc", "python3.pc", "AFKUser.tbd", "AdID.tbd", "Admin.tbd", "AirPlayReceiver.tbd", "AppSandbox.tbd", "ASEProcessing.tbd", "AuthenticationServicesCore.tbd", "WebGPU.tbd", "WebDriver.tbd", "MapKit.tbd", "SwiftUI.swiftoverlay", "WebKit.tbd", "WebKit.apinotes", "WKBackForwardList.h", "NSAttributedString.h", "WebKit.h", "WKBackForwardListItem.h", "WKContentRuleList.h", "WKContentRuleListStore.h", "WKContextMenuElementInfo.h", "WKDataDetectorTypes.h", "WKContentWorld.h", "WKError.h", "WKFoundation.h", "WKFindResult.h", "WKHTTPCookieStore.h", "WKFrameInfo.h", "WKNavigation.h", "WKFindConfiguration.h", "WKNavigationDelegate.h", "WKNavigationResponse.h", "WKOpenPanelParameters.h", "WebKitLegacy.h", "WKPreviewActionItem.h", "WKNavigationAction.h", "WKPreferences.h", "WKPreviewActionItemIdentifiers.h", "WKPreviewElementInfo.h", "WKProcessPool.h", "WKDownload.h", "WKPDFConfiguration.h", "WKScriptMessage.h", "WKSecurityOrigin.h", "WKScriptMessageHandler.h", "WKSnapshotConfiguration.h", "WKUIDelegate.h", "WKURLSchemeTask.h", "WKWebpagePreferences.h", "WKUserContentController.h", "WKWebsiteDataStore.h", "WKWebsiteDataRecord.h", "WKUserScript.h", "WKURLSchemeHandler.h", "WKWebViewConfiguration.h", "WKWebView.h", "WKScriptMessageHandlerWithReply.h", "WKWindowFeatures.h", "WKDownloadDelegate.h", "ASAccountAuthenticationModificationController.h", "ASAccountAuthenticationModificationViewController.h", "ASAuthorization.h", "ASAuthorizationAppleIDButton.h", "ASAccountAuthenticationModificationRequest.h", "ASAuthorizationAppleIDProvider.h", "ASAuthorizationAppleIDRequest.h", "ASAuthorizationAppleIDCredential.h", "ASAuthorizationController.h", "ASAuthorizationCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "ASAuthorizationError.h", "ASAuthorizationCustomMethod.h", "ASAuthorizationPasswordRequest.h", "ASAuthorizationOpenIDRequest.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "ASAuthorizationProvider.h", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "ASAuthorizationPublicKeyCredentialConstants.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "ASAuthorizationPasswordProvider.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "ASAuthorizationPublicKeyCredentialParameters.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASAuthorizationRequest.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "ASAuthorizationSingleSignOnCredential.h", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "ASAuthorizationSingleSignOnProvider.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCOSEConstants.h", "ASCredentialIdentity.h", "ASAuthorizationSingleSignOnRequest.h", "ASCredentialIdentityStore.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "ASCredentialProviderExtensionContext.h", "ASCredentialProviderViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASCredentialServiceIdentifier.h", "ASExtensionErrors.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASCredentialRequest.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "ASPasskeyAssertionCredential.h", "ASPasskeyCredentialRequest.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "ASPasskeyRegistrationCredential.h", "ASPasswordCredential.h", "ASPublicKeyCredential.h", "ASPasskeyCredentialIdentity.h", "ASPublicKeyCredentialClientData.h", "ASSettingsHelper.h", "ASWebAuthenticationSessionCallback.h", "ASWebAuthenticationSession.h", "ASWebAuthenticationSessionRequest.h", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "AuthenticationServices.h", "ASFoundation.h", "AuthenticationServices.apinotes", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "ASPasswordCredentialIdentity.h", "ASPasswordCredentialRequest.h", "GameKit.apinotes", "GKAccessPoint.h", "GameKit.h", "GKAchievement.h", "GKAchievementViewController.h", "GKBasePlayer.h", "GKAchievementDescription.h", "GKChallengeEventHandler.h", "GKCloudPlayer.h", "GKChallengesViewController.h", "GKChallenge.h", "GKDefines.h", "GKError.h", "GKEventListener.h", "GKFriendRequestComposeViewController.h", "GKDialogController.h", "GKGameSessionEventListener.h", "GKGameSessionError.h", "GKGameCenterViewController.h", "GKGameSessionSharingViewController.h", "GKLeaderboardEntry.h", "GKLeaderboard.h", "GKLeaderboardScore.h", "GKGameSession.h", "GKLeaderboardSet.h", "GKLocalPlayer.h", "GKLeaderboardViewController.h", "GKMatch.h", "GKMatchmaker.h", "GKMatchmakerViewController.h", "GKPeerPickerController.h", "GKNotificationBanner.h", "GKPublicConstants.h", "GKPlayer.h", "GKPublicProtocols.h", "GKSavedGameListener.h", "GKScore.h", "GKSessionError.h", "GKVoiceChat.h", "GKTurnBasedMatchmakerViewController.h", "GKSession.h", "GKTurnBasedMatch.h", "GKSavedGame.h", "GKVoiceChatService.h" ], "public": 1, "adversary": "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc", "targeted_countries": [ "United States of America", "India", "Australia" ], "malware_families": [ { "id": "OSAtomic", "display_name": "OSAtomic", "target": null }, { "id": "OSReturn", "display_name": "OSReturn", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null }, { "id": "Internet", "display_name": "Internet", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1968, "domain": 526, "FileHash-SHA256": 207, "hostname": 972, "email": 55, "FileHash-SHA1": 9, "FileHash-MD5": 4, "CVE": 2, "CIDR": 10 }, "indicator_count": 3753, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "endian.h", "AuthenticationServicesCore.tbd", "ttys", "ASPasskeyCredentialRequest.h", "ASAuthorizationPublicKeyCredentialRegistrationRequest.h", "WebKitLegacy.h", "OSKextLib.h", "copyio.h", "GCDevice.h", "MCSession.h", "UNDTypes.h", "handy.h", "feature.h", "GameKit.h", "https://intelx.io/?s=ualberta.ca", "GKAchievementDescription.h", "GCControllerInput.h", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "machine_cpuid.h", "WKProcessPool.h", "WKPreviewActionItem.h", "ASAuthorizationCredential.h", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "OSMalloc.h", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "atm_types.h", "IOBluetoothServiceBrowserController.h", "sv.h", "GCTypes.h", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "resolv.conf", "LICENSE", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "GCRacingWheelInput.h", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "math.h", "x86_64-apple-ios-macabi.swiftinterface", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "lz4_assembly_select.h", "IntentsUI.h", "parser.h", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionOutput.h", "types.h", "atomic.h", "table.h", "GKChallengesViewController.h", "zshrc_Apple_Terminal", "zaphod32_hash.h", "ASAuthorizationPasswordRequest.h", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "INUIEditVoiceShortcutViewController.h", "ASSettingsHelper.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialAssertionRequest.h", "GCKeyboardInput.h", "ASPublicKeyCredentialClientData.h", "afpovertcp.cfg", "ASAuthorizationPublicKeyCredentialConstants.h", "GKLeaderboardViewController.h", "kdp_callout.h", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "cpuid.h", "GKError.h", "GCDualShockGamepad.h", "IOUSBHostPipe.h", "WKWindowFeatures.h", "vm_kern.h", "master.cf", "IOBluetoothDeviceSelectorController.h", "regnodes.h", "GKEventListener.h", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "vDSP.h", "GKDefines.h", "GKDialogController.h", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "OSvKernDSPLib.h", "ASWebAuthenticationSessionRequest.h", "LocalAuthentication.tbd", "UNDRequest.defs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "lz4.h", "GCDeviceHaptics.h", "AppSandbox.tbd", "IOUSBHostIOSource.h", "ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.h", "ASCredentialProviderExtensionContext.h", "GKScore.h", "managedPolicies.csv", "uuid.h", "pad.h", "Kerberos.h", "GCDirectionalGamepad.h", "configuring.html", "malloc_ctl.h", "ntp_opendirectory.conf", "IOBluetoothPasskeyDisplay.h", "WKDownloadDelegate.h", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "sipConfig.csv", "profile", "mg.h", "WKBackForwardListItem.h", "monotonic.h", "Block.h", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "thread.h", "GCXboxGamepad.h", "csh.cshrc", "GKVoiceChat.h", "GKPublicProtocols.h", "GKLeaderboardSet.h", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "MCAdvertiserAssistant.h", "crashes.csv", "MCPeerID.h", "https://viewdns.info/traceroute/?domain=ualberta.ca", "capture_resize.js", "gssapi_krb5.h", "main.cf.proto", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationProviderExtensionAuthorizationResult.h", "capture_0.bundle.js", "WKWebpagePreferences.h", "GCControllerElement.h", "IOUSBHostControllerInterfaceHelpers.h", "https://bgpview.io/asn/3359#whois", "ASAuthorizationPlatformPublicKeyCredentialAssertion.h", "custom-error.html", "virtual", "auto_master", "ASWebAuthenticationSessionWebBrowserSessionManager.h", "WKWebView.h", "BUILDING", "Admin.tbd", "GCExtendedGamepadSnapshot.h", "caching.html", "WKSnapshotConfiguration.h", "WKHTTPCookieStore.h", "CredentialsCache2.h", "locate_plugin.h", "stdatomic.h", "https://centralops.net/co/DomainDossier.aspx", "tcp_seq.h", "NSAttributedString.h", "IOUSBHostCIPortStateMachine.h", "GCSteeringWheelElement.h", "python3.pc", "GameKit.apinotes", "vutil.h", "perlvars.h", "scope.h", "dbd_xsh.h", "ASEProcessing.tbd", "GameController.tbd", "igmp_var.h", "TLS_LICENSE", "relocated", "OpenAL.tbd", "stdarg.h", "rc.common", "convenience.map", "vecLibTypes.h", "warnings.h", "ip_var.h", "vm_dyld_pager.h", "ipc_pthread_priority_types.h", "av.h", "ASAuthorizationPublicKeyCredentialAssertionRequest.h", "WebKit.h", "launchagents.txt", "INTERN.h", "WKFoundation.h", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld", "GKMatchmakerViewController.h", "tcpip.h", "header_checks", "invlist_inline.h", "GKLeaderboardEntry.h", "signal.h", "_limits.h", "config.h", "config.xml", "machine_remote_time.h", "OSReturn.h", "INImage+IntentsUI.h", "IOUSBHostCIEndpointStateMachine.h", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "OSBase.h", "https://web.archive.org/web/20250000000000*/ualberta.ca", "intrpvar.h", "dbivport.h", "applications.csv", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationOutput.h", "systemControls.csv", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "GCPhysicalInputElement.h", "shells", "ASPasskeyCredentialIdentity.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialRegistrationRequest.h", "ASAuthorizationProviderExtensionAuthorizationRequest.h", "ASAuthorizationWebBrowserPublicKeyCredentialManager.h", "com.apple.screensharing.agent.launchd", "udp_var.h", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "libperl.tbd", "GCDeviceCursor.h", "bounce.cf.default", "GCGamepadSnapshot.h", "EXTERN.h", "AuthenticationServices.apinotes", "GKCloudPlayer.h", "tcp_timer.h", "WKSecurityOrigin.h", "compromised_site_redirector_fromcharcode fromCharCode", "auto_home", "PCIDriverKit.h", "vm_shared_region.h", "https://whois.domaintools.com/ualberta.ca", "hook_op_check.h", "IOPCIDevice.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialRegistrationRequest.h", "GCMotion.h", "ASPasskeyAssertionCredential.h", "arm64e-apple-macos.swiftinterface", "python-3.9-embed.pc", "WKError.h", "GCSyntheticDeviceKeys.h", "ASAccountAuthenticationModificationRequest.h", "_param.h", "in_var.h", "util.h", "smb.conf", "WKNavigationResponse.h", "zlib.h", "in_systm.h", "WKURLSchemeHandler.h", "AFKMemoryDescriptorOptions.h", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "reentr.h", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "WebKit.tbd", "group", "vmparam.h", "time64_config.h", "https://www.shodan.io/search?query=ualberta.ca", "ASCOSEConstants.h", "arch.h", "https://viz.greynoise.io/query/AS3359", "KerberosLogin.h", "ASAccountAuthenticationModificationUpgradePasswordToStrongPasswordRequest.h", "crc.h", "WKUIDelegate.h", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "MultipeerConnectivity.tbd", "GCDevicePhysicalInput.h", "IOBluetoothUtilities.h", "xdr_subs.h", "WKScriptMessage.h", "MCError.h", "pycore_condvar.h", "stdint.h", "canonical", "gettytab", "ebcdic_tables.h", "WKFindConfiguration.h", "systemInfo.csv", "_types.h", "GCDevicePhysicalInputState.h", "IOUSBHost.tbd", "custom_header_checks", "content-negotiation.html", "GKFriendRequestComposeViewController.h", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "GCButtonElement.h", "hv.h", "pio.h", "GCMicroGamepad.h", "perlsdio.h", "ASAuthorizationSingleSignOnRequest.h", "GCControllerAxisInput.h", "GKMatch.h", "AppleFirmwareUpdate.tbd", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "uconfig.h", "Bluetooth.h", "index.html.en", "transport", "GCRelativeInput.h", "nostdio.h", "IOUSBHostStream.h", "ASAuthorizationRequest.h", "WKContextMenuElementInfo.h", "utfebcdic.h", "bitcount.h", "pp.h", "ip_icmp.h", "kexts.txt", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertion.h", "ASWebAuthenticationSession.h", "iperlsys.h", "_endian.h", "WKPreferences.h", "dbixs_rev.h", "trap.h", "fakesdio.h", "IOBluetoothUserLib.h", "ASCredentialRequest.h", "nfsproto.h", "pp_proto.h", "WKContentWorld.h", "lber.h", "OSAtomic.h", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "preboot_archive_errors.log", "GKGameSessionError.h", "GKLeaderboardScore.h", "GCControllerTouchpad.h", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "form.h", "uudmap.h", "GCController.h", "WKPreviewElementInfo.h", "interfaceDetails.csv", "plugin.js", "IOUSBHostCIDeviceStateMachine.h", "ntp.conf", "ASAuthorizationSingleSignOnCredential.h", "IOUSBHostInterface.h", "IOUSBHostControllerInterfaceDefinitions.h", "users.csv", "perldtrace.h", "https://www.whoxy.com/ualberta.ca", "mg_data.h", "GKBasePlayer.h", "ASAuthorizationOpenIDRequest.h", "GCKeyCodes.h", "hv_macro.h", "ASAuthorizationPublicKeyCredentialParameters.h", "vm_map.h", "WKFrameInfo.h", "main.cf", "arm_features.inc", "notify.conf", "GCInputNames.h", "perlio.h", "postfix-files", "WKDownload.h", "main.cf.default", "perl.h", "https://viewdns.info/iphistory/?domain=ualberta.ca", "AppleUSBDescriptorParsing.h", "sysctl.h", "unixish.h", "ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.h", "overload.h", "GCKeyboard.h", "IOPCIFamilyDefinitions.h", "aliases", "canvas.html", "MCNearbyServiceBrowser.h", "perl_langinfo.h", "mg_raw.h", "ASAuthorization.h", "memory_types.h", "GKChallengeEventHandler.h", "https://viewdns.info/portscan/?host=ualberta.ca", "Verification failure observed in automated verification handlers during sandbox replay.", "GKSavedGame.h", "AirPlayReceiver.tbd", "master.cf.default", "newsyslog.conf", "GKGameCenterViewController.h", "GKGameSessionEventListener.h", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "WKNavigationDelegate.h", "ASAuthorizationPlatformPublicKeyCredentialDescriptor.h", "dosish.h", "GCProductCategories.h", "WKWebsiteDataRecord.h", "krb5.h", "ASCredentialIdentity.h", "manpaths", "ASFoundation.h", "nfs.conf", "kpi_ipfilter.h", "vm_fault.h", "bashrc", "ASPublicKeyCredential.h", "mydtrace.h", "diskEncryption.csv", "WKContentRuleList.h", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "udp.h", "GKSavedGameListener.h", "GCTouchedStateInput.h", "WebGPU.tbd", "ASAuthorizationAppleIDRequest.h", "GKSessionError.h", "ASAuthorizationPasswordProvider.h", "IOBluetoothTypes.h", "process_list.txt", "https://www.criminalip.io/asset/search?query=ualberta.ca", "in_pcb.h", "bashrc_Apple_Terminal", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "APConfigurationSystem.tbd", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "Info.plist", "hv_func.h", "https://centralops.net/co/", "vm_far.h", "ASAuthorizationPlatformPublicKeyCredentialRegistration.h", "OpenAL.h", "perlapi.h", "ASCredentialServiceIdentifier.h", "perly.h", "kern_loader.conf", "ASPasswordCredentialIdentity.h", "ASAuthorizationWebBrowserExternallyAuthenticatableRequest.h", "mounts.csv", "static_if.h", "ASCredentialProviderViewController.h", "ASAccountAuthenticationModificationViewController.h", "vfs_support.h", "csh.logout", "gv.h", "GCRacingWheel.h", "embedvar.h", "Driver_xst.h", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "cpu_capabilities_public.h", "time64.h", "GCExtendedGamepad.h", "BluetoothAssignedNumbers.h", "keywords.h", "GKMatchmaker.h", "vBasicOps.h", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "IOBluetoothUI.h", "vm_pageout.h", "GCControllerButtonInput.h", "python-3.9.pc", "launchdaemons.txt", "GCAxis2DInput.h", "GCAxisInput.h", "perl_inc_macro.h", "tcp.h", "al.h", "inline.h", "zshrc", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "AFKUser.tbd", "IOBluetooth.tbd", "GKTurnBasedMatch.h", "string.h", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "master.cf.proto", "rpc", "AdID.tbd", "IOBluetooth.h", "rtadvd.conf", "GKPeerPickerController.h", "rpcv2.h", "lz4_constants.h", "GCDualSenseGamepad.h", "security_status.txt", "passwd", "WKScriptMessageHandlerWithReply.h", "https://whois.easycounter.com/ualberta.ca", "OSDebug.h", "UNDReply.defs", "cv.h", "GKSession.h", "locks.h", "GameController.h", "IOUSBHostControllerInterface.h", "https://dnsdumpster.com/", "ASAuthorizationCustomMethod.h", "arm64e-apple-ios-macabi.swiftinterface", "WKWebViewConfiguration.h", "WKBackForwardList.h", "IOBluetoothPairingController.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredential.h", "zprofile", "GCAxisElement.h", "GKGameSession.h", "preauth_plugin.h", "WKPDFConfiguration.h", "DBIXS.h", "GKGameSessionSharingViewController.h", "networks", "command_args.json", "ASAuthorizationPublicKeyCredentialLargeBlobAssertionInput.h", "sbox32_hash.h", "CredentialsCache.h", "GCDirectionPadElement.h", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "XSUB.h", "GCSwitchPositionInput.h", "perl_siphash.h", "cpu.h", "tree.h", "sudo_lecture", "ptrauth.h", "ASAuthorizationAppleIDProvider.h", "in_arp.h", "WKNavigation.h", "usbDevices.csv", "git_version.h", "chromeExtensions.csv", "OSByteOrder.h", "_OSByteOrder.h", "WKUserScript.h", "ASAuthorizationPlatformPublicKeyCredentialProvider.h", "vForce.h", "IOUSBHostDefinitions.h", "GKAchievement.h", "apfs_boot_mount.tbd", "WKDataDetectorTypes.h", "man.conf", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "GKVoiceChatService.h", "nfs.h", "ftpusers", "WKUserContentController.h", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://who.is/whois/ualberta.ca", "GCPhysicalInputSource.h", "unicode_constants.h", "MapKit.tbd", "etcHosts.csv", "OBEXBluetooth.h", "krpc.h", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "param.h", "icmp6.h", "desc.h", "ASAuthorizationPublicKeyCredentialDescriptor.h", "ASAuthorizationSecurityKeyPublicKeyCredentialAssertionRequest.h", "_mcontext.h", "WKContentRuleListStore.h", "encode.h", "WKURLSchemeTask.h", "ASAuthorizationError.h", "tcp_private.h", "asm_help.h", "gssapi_generic.h", "MultipeerConnectivity.apinotes", "sudoers", "OSTypes.h", "GCSwitchElement.h", "python3-embed.pc", "INUIAddVoiceShortcutViewController.h", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "GCDeviceLight.h", "ASAuthorizationWebBrowserSecurityKeyPublicKeyCredentialProvider.h", "l1_char_class_tab.h", "GCDevicePhysicalInputStateDiff.h", "limits.h", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "asl.conf", "WKNavigationAction.h", "stddef.h", "machine_routines.h", "ASAuthorizationPublicKeyCredentialAssertion.h", "regcomp.h", "opnames.h", "GCMicroGamepadSnapshot.h", "ASAuthorizationProvider.h", "GCExtern.h", "GCPhysicalInputProfile.h", "bind.html", "ASCredentialIdentityStore.h", "libkern.h", "patchlevel.h", "ldap.h", "access", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "GCControllerDirectionPad.h", "certificates.csv", "ip.h", "GCDeviceBattery.h", "version.h", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "makedefs.out", "KUNCUserNotifications.h", "machine_machdep.h", "cop.h", "oalMacOSX_OALExtensions.h", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "audit_ioctl.h", "MultipeerConnectivity.h", "pf.conf", "xtab", "ASPasswordCredential.h", "GKLocalPlayer.h", "com_err.h", "https://www.merklemap.com/search?query=ualberta.ca&page=0", "in_stat.h", "IOPCIDevice.iig", "GCLinearInput.h", "bootp.h", "WKPreviewActionItemIdentifiers.h", "cpuid_internal.h", "vm_memtag.h", "tss.h", "AOSKit.tbd", "GKLeaderboard.h", "op_reg_common.h", "in_private.h", "zconf.h", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "vm_compressor_algorithms.h", "x86_64-apple-macos.swiftinterface", "ASPasswordCredentialRequest.h", "version.plist", "GCGearShifterElement.h", "OBEX.h", "tcp_fsm.h", "byte_order.h", "paths", "rmtab", "profile.h", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "TargetConditionals.h", "WebDriver.tbd", "ASAuthorizationAppleIDCredential.h", "ASAccountAuthenticationModificationExtensionContext.h", "pal_routines.h", "IntentsUI.apinotes", "ASAuthorizationPublicKeyCredentialRegistration.h", "ASAuthorizationSecurityKeyPublicKeyCredentialRegistration.h", "GCPressedStateInput.h", "user_launchagents.txt", "IOUSBHostObject.h", "SwiftUI.swiftoverlay", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "perliol.h", "WebKit.apinotes", "csh.login", "syslog.conf", "autofs.conf", "ASExtensionErrors.h", "vm_options.h", "igmp.h", "WKScriptMessageHandler.h", "vecLib.h", "MCNearbyServiceAdvertiser.h", "popen_spawn_win32.py", "alc.h", "GKAchievementViewController.h", "sharedFolders.csv", "locate.rc", "WKWebsiteDataStore.h", "oalStaticBufferExtension.h", "find.codes", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "GCGamepad.h", "ASAuthorizationPublicKeyCredentialLargeBlobRegistrationInput.h", "pf.os", "LDAP.tbd", "embed.h", "IOBluetoothUIUserLib.h", "mounts.txt", "battery.csv", "mail.rc", "GCDualSenseAdaptiveTrigger.h", "machine_kpc.h", "metaconfig.h", "utf8.h", "kernel.csv", "ip6.h", "stdbool.h", "GKChallenge.h", "pmap.h", "GKTurnBasedMatchmakerViewController.h", "ASAuthorizationSecurityKeyPublicKeyCredentialProvider.h", "sel.h", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "op.h", "ASAccountAuthenticationModificationReplacePasswordWithSignInWithAppleRequest.h", "module.modulemap", "INUIAddVoiceShortcutButton.h", "opcode.h", "GKAccessPoint.h", "MCBrowserViewController.h", "ipc_types.h", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "interfaceAddrs.csv", "IOUSBHostDevice.h", "ASAuthorizationAppleIDButton.h", "ASWebAuthenticationSessionCallback.h", "GKNotificationBanner.h", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialAssertionRequest.h", "sharingPreferences.csv", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "ASAuthorizationController.h", "AuthenticationServices.h", "ASPasskeyCredentialRequestParameters.h", "ASCredentialIdentityStoreState.h", "IOUSBHost.h", "GCMouseInput.h", "mg_vtable.h", "WKFindResult.h", "GCColor.h", "dbi_sql.h", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "launchD.csv", "if_ether.h", "https://bgp.he.net/dns/ualberta.ca", "protocols", "UNDTypes.defs", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.h", "https://search.odin.io/hosts?query=ualberta.ca", "WKOpenPanelParameters.h", "GCMouse.h", "ASWebAuthenticationSessionWebBrowserSessionHandling.h", "gssapi.h", "irbrc", "rc.netboot", "ASPasskeyRegistrationCredential.h", "GKPlayer.h", "io.h", "regexp.h", "GCEventViewController.h", "GKPublicConstants.h", "generic", "ASAuthorizationWebBrowserPlatformPublicKeyCredentialProvider.h", "disk_structure.txt", "reg_help.h", "IOUSBHostCIControllerStateMachine.h", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "ASAccountAuthenticationModificationController.h", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "kdp_en_debugger.h", "https://www.urlvoid.com/dns-records-lookup/", "GCKeyNames.h", "IOBluetoothObjectPushUIController.h", "icmp_var.h", "tcp_var.h", "CodeResources", "ASAuthorizationSingleSignOnProvider.h", "IOBluetoothUI.tbd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group", "Turla Group, FIN7, APT34, APT28, DragonForce Malaysia Hacker Group, Indonesia Islamic Warriors Counc" ], "malware_families": [ "Lastname", "Worm:win32/macoute.a", "Firstname", "Worm:win32/fesber.a", "Upackv037dwing", "Ver", "Cryp_xed-12", "Mal/generic-s", "Trojandownloader:win32/nemucod", "Trojanspy:win32/nivdort", "Ransom:win32/eniqma.a", "Osatomic", "Alf:heraklezeval:rogue:win32/fakerean", "Osreturn", "Internet", "Tofsee" ], "industries": [ "Technology", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d00b0ea85aaf98736", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.954000", "created": "2026-04-04T19:46:05.954000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7d28330920cf77f5b0", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:05.437000", "created": "2026-04-04T19:46:05.437000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7c0f0657edc9c6d735", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:04.113000", "created": "2026-04-04T19:46:04.113000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d16a7bc549fa66f964d19b", "name": "VirusTotal report\n for run.sh", "description": "A full report on the Bourne-Again malware, published on 18 October, 2016. \u00c2\u00a31.5m (\u20ac2.4m; $3.6m).", "modified": "2026-04-04T19:46:03.621000", "created": "2026-04-04T19:46:03.621000", "tags": [ "file type", "ascii", "ascii text", "c source", "python", "python script", "writes shell", "html document", "sample", "posix shell", "persistence", "info", "linuxunix shell", "perl script", "shell", "mitre attack", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "malicious", "next", "java source", "crlf line", "sgml document", "certificate", "version3", "java keystore", "fraud", "network info", "unicode text", "utf8 text", "png image", "window" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a711ab9f034ec8f7e6af1f3d2038912744b7633fa6722d9836965742dee6d6a2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331684&Signature=c5WpYuxTIbVivjy9twSEEFcaF8XNBTwVhnJlSlxi23MOgSHpgwXbHsfE6flrpICVrApX5aa%2FM9SEhNMSNrqfZfffeKVVlSP5HK83DIz5cX7zxj3e6QUJBxfzYTehKIu7PboV3pv7iqaiKuTSoAuVB7SO3q0cmLVdmj0CwgVl%2Bxb2uk8cAuHSozlNlUQTtKp4kj%2B7vXJ8Cu0R8tEldXA9lnQ2YHfdanefJ6U495%2B%2FoBB4eckkj1On", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775331990&Signature=xR4cCaqYva2bIYOcAYm48EanAq0MTwsTs8BeXhQOE0MrQatTTXDq8gR5ixARCa3GTu2zx8spFdfiUylsmJCarhu8D5vIEuQQ3UD02scWNSGkAu8HiPX2hmMd7Cbni5nWDZIHfI4%2BKCrW8SHDXTrKzyIVfRPxixWVBic9Yaidd1Oqa3KEls3bG28By6k5H1Rd1Qf27epwdP%2BUjrjgpKlmK5tO%2FP7kK1x%2FtMv3w6R4sjLiHATrIjPgoD", "https://vtbehaviour.commondatastorage.googleapis.com/deeb5ee27b4a740fb22423f0b54253f44fbc1c879569748aae9886f4a9113ec1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332051&Signature=Bo5b49qay%2F21SiP8bhvZJkYRuw%2BLHz1dfkvJnnEemMii%2F%2FNHk09bmq75u0v2tYMhruii4ncU%2BzXle2POGINpkNmed9FGVbpw3iSzCD9QQKvPuXK0ble2ocVUSZR5vo8vNEV9cS89z1r%2BYqpO3XyS7u%2BajghqNocwpRoq3dwURQqQEqC7II07YOa%2FRpjFQooyWMmOwKC9I%2Fny%2FUmw0%2BDrgg20Kf%2FNsuAzOZLMrdO2o%2B3z", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332091&Signature=CpWTTwCL%2FHBNW7gUdVTGV%2BaYfdffmVnwTljmRJrMAWNVTHZxyiho8OCuzbtyaSxy12vi8YVQ3DzfT8iWx74O9dBqvZgm5NXwFxgPE3qT7MSzykVmuGB9J00pmU2mZCTWSK6Vkm1KQxSJOEYfMu3aaL3P42m84wWdxFDLlEQl2rsllq4t0ADGNFSPSqAXvC6SBm%2F16y8gRzM9dYJ%2B%2FCjznOtd1vc2jV8%2BvjNPi1oJyyEbt2jnI4", "https://vtbehaviour.commondatastorage.googleapis.com/1a0c03d5766301f341ed160511b7442d063a320d6aa4ffd6bbec89a809059d09_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332117&Signature=QrQhWy6CHNIt4LrFDW8Us3KA0iRKZQsz1n3Grrkp%2FAFqaB1bg7YxB2%2F9WZxBzZ6PMwIWuUdgioXJFXzRQQ55c%2BCI5rBOGF290mKickctOopJ%2FIZ%2FS4MrYScbePx7GxujMl%2BBt0UT1MtozDTOja6QP2MBW5H2mbH5A5PYPJtpn4MwwQg6iUy4IAaEx9FeiJYrpkqvLSzsoq8uDCVv9GGvwXhzWDaOGvzxpSMsY%2BEZ0ti5z1hk8TsA2nI9", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332153&Signature=dgkLQ0GIqiF%2Fxe%2BVGzHTZfBQIbpzMfUfH2TTP0G%2FfiVlTXg8BMGx7TyX9WTGlpu6ejWe2xalYze6ohM5Fjaw86Z%2BhmeXwhayr3CfV%2F8EJzusPyOM03QF5IR1ftbWe5tFyxcV0TtA1S5PehVGZRHYHV%2FpOG%2BbzR1Dcn2z2u0I72hZ%2F7X5nKoHtBjRMDvZnZneoi%2FAI9C2DMtsZemC3g7FLaEM6BV1JXkzjSoeH01LFLze", "https://vtbehaviour.commondatastorage.googleapis.com/6ff69fa3791b2fa97f24d4bf813c0482afa79961203ba0251fd98328c96ed36e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775332172&Signature=AEpI2boARQpxEdX1svqF6ucRMxm96JGdMomcZOTdUlwdGfdyyB8kDhkui3aHlFIFUijkXBGRDLpG4%2FEFvHiA4JDASaFT7MuYUgw%2Fy7xLA5S28HNLgqEqzGb4TSOa58v0WxA0YOpEEs8i8Umx7Kx6LM7C5R9OI50lKO9ma917WLa3ugyTqBnXCqx9Rgb7OwRuWGCAnqNUqjSXub0XMP8HEgzkgzPRzOZkoSA07gn7t6bTHV4QLuqEHqQX3YZPbSI3ld" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 2469, "URL": 287, "domain": 281, "hostname": 110, "IPv4": 5 }, "indicator_count": 3188, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5d5e3505dead54faab143", "name": "com.apple.security.sos.error.com", "description": "....sos", "modified": "2026-04-02T23:13:44.625000", "created": "2026-03-02T18:24:35.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 139, "domain": 113, "URL": 126, "FileHash-MD5": 91, "FileHash-SHA1": 72, "FileHash-SHA256": 777, "CIDR": 3 }, "indicator_count": 1321, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b67fcb32a370a5be555e6c", "name": "VirusTotal report\n for od-sugar-mail-email-app-mod-apk-pro-unlocked-1-4-329-329.apk", "description": "I don't own an android. \"not malicious\" \"Requests potentially dangerous permissions\" smh. Defense Evasion\nT1421 System Network Connections Discovery confidence: medium\nT1422 System Network Configuration Discovery confidence: medium\nT1430 Location Tracking confidence: medium\nT1418 Software Discovery confidence: medium\nT1426 System Information Discovery confidence: medium\nT1424 Process Discovery confidence: medium\nDiscovery\nT1430 Location Tracking confidence: medium\nT1518.001 Security Software Discovery confidence: low\nT1409 Stored Application Data confidence: medium\nNetwork Info", "modified": "2026-03-15T10:27:15.864000", "created": "2026-03-15T09:45:47.270000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 76, "hostname": 20, "domain": 16 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "foo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "foo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776620214.6950724 }