{
"type": "Domain",
"indicator": "git-api.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/git-api.com",
"alexa": "http://www.alexa.com/siteinfo/git-api.com",
"indicator": "git-api.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 2830887005,
"indicator": "git-api.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69ddc6c9f25c71625fb0b9e6",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:47.333000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:36.465000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 10,
"IPv4": 58,
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:32.943000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "10 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6675c61d2a8e4554b9985027",
"name": "BLOCK_2024",
"description": "",
"modified": "2026-02-04T19:03:11.880000",
"created": "2024-06-21T18:27:41.885000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65e899612f5527bad9d4e5a8",
"export_count": 6857098,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2306,
"FileHash-MD5": 4833,
"URL": 1674,
"hostname": 1302,
"FileHash-SHA256": 6371,
"FileHash-SHA1": 4014,
"IPv4": 3524,
"CIDR": 19,
"email": 190,
"CVE": 4
},
"indicator_count": 24237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e8cd886e0bb692e8a9d08",
"name": "Blocker Ransomware affecting Apple and iCloud | Injection",
"description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.",
"modified": "2026-01-01T06:01:02.583000",
"created": "2025-12-02T06:53:12.823000",
"tags": [
"url https",
"url http",
"domain",
"fh no",
"ipv4",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"mitre att",
"ck id",
"ck matrix",
"ascii text",
"href",
"network traffic",
"general",
"local",
"click",
"strings",
"learn",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"adversaries",
"spawns",
"defense evasion",
"dynamicloader",
"windows nt",
"wow64",
"khtml",
"gecko",
"write c",
"unknown",
"virtool",
"write",
"defender",
"malware",
"delete",
"alerts",
"backdoor",
"high",
"ip address",
"t1045",
"packing",
"t1055",
"injection",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"tools",
"families",
"mirai",
"indicator role",
"active related",
"hackers",
"ahmann",
"usual suspects"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Backdoor:Win32/Drixed",
"display_name": "Backdoor:Win32/Drixed",
"target": "/malware/Backdoor:Win32/Drixed"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 234,
"FileHash-SHA1": 219,
"FileHash-SHA256": 841,
"URL": 2606,
"domain": 298,
"hostname": 772,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 4973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69404b09d8296388596ecfa9",
"name": "BLOCK_2025_DIC",
"description": "",
"modified": "2025-12-24T16:04:11.529000",
"created": "2025-12-15T17:53:13.004000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2300,
"FileHash-MD5": 4833,
"URL": 1673,
"hostname": 1297,
"FileHash-SHA256": 6371,
"FileHash-SHA1": 4014,
"IPv4": 3235,
"CIDR": 19,
"email": 170,
"CVE": 4
},
"indicator_count": 23916,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 79,
"modified_text": "115 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690b39b3cf3cb86d14ccd811",
"name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders",
"description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.",
"modified": "2025-12-05T11:00:41.797000",
"created": "2025-11-05T11:49:07.495000",
"tags": [
"chadsualberta"
],
"references": [
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"ThreatZone - Malicious",
"https://tria.ge/251105-yvvzgssldn",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"Email: chads@ualberta[.]ca"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 120,
"FileHash-SHA1": 120,
"FileHash-SHA256": 1809,
"URL": 603,
"domain": 396,
"hostname": 514
},
"indicator_count": 3562,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "135 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d37e35f99d852d38beb769",
"name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s",
"description": "#attack? #honeypot?",
"modified": "2025-10-24T04:02:54.218000",
"created": "2025-09-24T05:14:28.101000",
"tags": [
"x00x00n",
"memcommit",
"regopenkeyexw",
"regsz",
"else",
"ipnnoysrdi tr",
"writeconsolew",
"cryptexportkey",
"invalid pointer",
"x1ex00x00n",
"redline stealer",
"service",
"powershell",
"tools",
"persistence",
"execution",
"dock",
"write",
"updater",
"malware",
"passive dns",
"urls",
"url add",
"ip address",
"related nids",
"files location",
"hong kong",
"united",
"present jul",
"present dec",
"search",
"present may",
"a domains",
"name servers",
"unknown aaaa",
"trojan",
"present jan",
"present sep",
"moved",
"title",
"span td",
"td td",
"tr tr",
"a li",
"ipv4 internet",
"span",
"meta",
"gmt content",
"ipv4 add",
"reverse dns",
"trojanx",
"location hong kong",
"software",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"development att",
"ascii text",
"pattern match",
"mitre att",
"ck matrix",
"sha1",
"odigicert inc",
"network traffic",
"general",
"local",
"path",
"encrypt",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"size",
"crlf line",
"urlhttps",
"extracted files",
"acquires",
"networking",
"readiness"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 150,
"FileHash-SHA1": 148,
"FileHash-SHA256": 3059,
"domain": 1277,
"URL": 4166,
"hostname": 1251,
"SSLCertFingerprint": 10,
"email": 1
},
"indicator_count": 10062,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "177 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "654c34e7efa40976a9dd655b",
"name": "SOC2023",
"description": "",
"modified": "2025-08-17T17:03:38.868000",
"created": "2023-11-09T01:24:55.160000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65491efbfc3d9479076431bb",
"export_count": 36,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1714,
"FileHash-MD5": 3448,
"URL": 727,
"hostname": 912,
"FileHash-SHA256": 4539,
"FileHash-SHA1": 2696,
"IPv4": 276,
"CIDR": 10,
"email": 28
},
"indicator_count": 14350,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 91,
"modified_text": "244 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "682bef60c4841f09773d1c7f",
"name": "Expanded: Close proximity RMS module attack. Critical infrastructure affected. Medical, Business, Legal., Religious institutions",
"description": "Close proximity hacking tool used following stalking event. Connecting to device attacks other devices and critical systems.\nPegasusLoader expanded. \nCritical Issues \niOS is now an unidentifiable device.\nDuckDuckGo Search engine\nhas emoji arrows \nIOS default Google search engine has overlay and continuous flooding of bad traffic. Severe DNS issue. Botnet involvement, height priority messages intercepted. \nExcessive abuse of Mitre T1480 Execution Gaurdrails .Geopfencing. Targets attacked by illegal PegasusLoader.exe cannot use iOS devices as designed paid the same price as everyone. \n\nI can\u2019t explain how iCloud only backs up to unknown devices. Users have zero control of any technology devices or content.\nThreat actors have remotely rebuilt device infrastructure / architecture.\n-Team 8",
"modified": "2025-06-19T02:03:50.197000",
"created": "2025-05-20T02:56:31.741000",
"tags": [
"win32 exe",
"file type",
"name file",
"text state",
"text",
"text geoip6",
"csv geoip",
"get https",
"dns resolutions",
"number",
"cnwe1 ogoogle",
"trust",
"cus subject",
"response"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 27,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 71,
"FileHash-SHA1": 176,
"FileHash-SHA256": 3815,
"URL": 2239,
"domain": 850,
"hostname": 906
},
"indicator_count": 8057,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "304 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "679c246c8bf7850b5096828e",
"name": "2024-blocking-soc-ene25",
"description": "",
"modified": "2025-02-15T00:01:08.338000",
"created": "2025-01-31T01:16:28.004000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2045,
"FileHash-MD5": 4426,
"URL": 1463,
"hostname": 1231,
"FileHash-SHA256": 5892,
"FileHash-SHA1": 3625,
"IPv4": 189,
"CIDR": 6,
"email": 163
},
"indicator_count": 19040,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "428 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "679c246da161670e959a9eec",
"name": "2024-blocking-soc-ene25",
"description": "",
"modified": "2025-02-15T00:01:08.338000",
"created": "2025-01-31T01:16:29.608000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2045,
"FileHash-MD5": 4426,
"URL": 1463,
"hostname": 1231,
"FileHash-SHA256": 5892,
"FileHash-SHA1": 3625,
"IPv4": 189,
"CIDR": 6,
"email": 163
},
"indicator_count": 19040,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "428 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6758ebc2472100ac75acad69",
"name": "2024-DIC-10-Clon",
"description": "",
"modified": "2025-01-09T23:04:00.232000",
"created": "2024-12-11T01:32:50.260000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2030,
"FileHash-MD5": 4171,
"URL": 1324,
"hostname": 1222,
"FileHash-SHA256": 5634,
"FileHash-SHA1": 3368,
"IPv4": 189,
"CIDR": 6,
"email": 162
},
"indicator_count": 18106,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "464 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6765eebf9ec06704f3a6ea68",
"name": "CLON IPIF",
"description": "",
"modified": "2025-01-09T23:04:00.232000",
"created": "2024-12-20T22:25:03.407000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2031,
"FileHash-MD5": 4171,
"URL": 1324,
"hostname": 1222,
"FileHash-SHA256": 5634,
"FileHash-SHA1": 3368,
"IPv4": 189,
"CIDR": 6,
"email": 162
},
"indicator_count": 18107,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "464 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6732a0b6cc4c5356a823de37",
"name": "_CLON_2024_NOV11",
"description": "",
"modified": "2024-12-11T00:00:21.805000",
"created": "2024-11-12T00:26:30.524000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1795,
"FileHash-MD5": 3724,
"URL": 1028,
"hostname": 1096,
"FileHash-SHA256": 5030,
"FileHash-SHA1": 2927,
"IPv4": 189,
"CIDR": 6,
"email": 28
},
"indicator_count": 15823,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 84,
"modified_text": "494 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65aab954f5f03a1f2906b39c",
"name": "Zerobot",
"description": "",
"modified": "2024-10-12T07:01:26.973000",
"created": "2024-01-19T18:03:00.966000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"historical ssl",
"resolutions",
"whois whois",
"communicating",
"subdomains",
"contacted",
"c1on",
"cmdwget http",
"metro",
"zerobot",
"execution",
"skynet",
"june"
],
"references": [
"https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ZeroBot",
"display_name": "ZeroBot",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65aa168aeddea4851fc47cc3",
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 123,
"FileHash-SHA1": 123,
"FileHash-SHA256": 2498,
"domain": 1600,
"hostname": 2749,
"URL": 6303,
"CVE": 1
},
"indicator_count": 13397,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "554 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "63456c2a30b92337ea1670e0",
"name": "IOC Records Provided by @NextRayAI",
"description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.",
"modified": "2024-07-16T20:30:56.084000",
"created": "2022-10-11T13:14:18.676000",
"tags": [
"Nextray",
"cyber security",
"ioc",
"phishing",
"malicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Turkey",
"Ukraine",
"Romania",
"Czechia",
"United Kingdom of Great Britain and Northern Ireland",
"Norway",
"Lithuania",
"Estonia",
"Latvia",
"Poland",
"Germany",
"Canada",
"France",
"Denmark"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Defense",
"Industrial",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1325,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "NextRay-AI",
"id": "210822",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 493080,
"IPv4": 3458,
"IPv6": 519,
"hostname": 41105,
"URL": 155223,
"CIDR": 5266
},
"indicator_count": 698651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 283,
"modified_text": "641 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66480cb1cc174fd804e0cef9",
"name": "Elgoogle",
"description": "",
"modified": "2024-05-18T02:12:28.801000",
"created": "2024-05-18T02:04:33.967000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "65709f0bbdd32cb4b343a12f",
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Elgoogle",
"id": "281171",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2218,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1175,
"hostname": 2514,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 35
},
"indicator_count": 44904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 8,
"modified_text": "701 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65aa168aeddea4851fc47cc3",
"name": "Zerobot & Skynet",
"description": "Zerobot is a new botnet written in the Go programming language. It communicates via the WebSocket protocol",
"modified": "2024-03-23T01:01:38.014000",
"created": "2024-01-19T06:28:26.343000",
"tags": [
"ssl certificate",
"whois record",
"referrer",
"historical ssl",
"resolutions",
"whois whois",
"communicating",
"subdomains",
"contacted",
"c1on",
"cmdwget http",
"metro",
"zerobot",
"execution",
"skynet",
"june"
],
"references": [
"https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "ZeroBot",
"display_name": "ZeroBot",
"target": null
},
{
"id": "Skynet",
"display_name": "Skynet",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 78,
"FileHash-SHA1": 78,
"FileHash-SHA256": 2290,
"domain": 1491,
"hostname": 2611,
"URL": 5879,
"CVE": 8
},
"indicator_count": 12435,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "757 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65fc23e4c36f0715310e1d95",
"name": "SOC_BLOCK_NEW",
"description": "",
"modified": "2024-03-21T12:11:41.190000",
"created": "2024-03-21T12:11:16.345000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65e899612f5527bad9d4e5a8",
"export_count": 275,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": true,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "fencesense",
"id": "255590",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1715,
"FileHash-MD5": 3498,
"URL": 729,
"hostname": 911,
"FileHash-SHA256": 4590,
"FileHash-SHA1": 2746,
"IPv4": 189,
"CIDR": 6,
"email": 28
},
"indicator_count": 14412,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 25,
"modified_text": "758 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f5828f8217ecbe6ce3a89b",
"name": "IOCs Industriales",
"description": "",
"modified": "2024-03-16T11:29:19.302000",
"created": "2024-03-16T11:29:19.302000",
"tags": [
"Nextray",
"cyber security",
"ioc",
"phishing",
"malicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Turkey",
"Ukraine",
"Romania",
"Czechia",
"United Kingdom of Great Britain and Northern Ireland",
"Norway",
"Lithuania",
"Estonia",
"Latvia",
"Poland",
"Germany",
"Canada",
"France",
"Denmark"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Defense",
"Industrial",
"Government"
],
"TLP": "white",
"cloned_from": "63456c2a30b92337ea1670e0",
"export_count": 81,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dtatov00",
"id": "256758",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 493080,
"IPv4": 3458,
"IPv6": 519,
"hostname": 41105,
"URL": 155223,
"CIDR": 5266
},
"indicator_count": 698651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 56,
"modified_text": "763 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f5827a4e23b095e5af5f44",
"name": "IOCs Industriales",
"description": "",
"modified": "2024-03-16T11:28:58.984000",
"created": "2024-03-16T11:28:58.984000",
"tags": [
"Nextray",
"cyber security",
"ioc",
"phishing",
"malicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Turkey",
"Ukraine",
"Romania",
"Czechia",
"United Kingdom of Great Britain and Northern Ireland",
"Norway",
"Lithuania",
"Estonia",
"Latvia",
"Poland",
"Germany",
"Canada",
"France",
"Denmark"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Defense",
"Industrial",
"Government"
],
"TLP": "white",
"cloned_from": "63456c2a30b92337ea1670e0",
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dtatov00",
"id": "256758",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 493080,
"IPv4": 3458,
"IPv6": 519,
"hostname": 41105,
"URL": 155223,
"CIDR": 5266
},
"indicator_count": 698651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "763 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f582700d35b0e7c8dd9df8",
"name": "IOCs Industriales",
"description": "",
"modified": "2024-03-16T11:28:48.062000",
"created": "2024-03-16T11:28:48.062000",
"tags": [
"Nextray",
"cyber security",
"ioc",
"phishing",
"malicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Turkey",
"Ukraine",
"Romania",
"Czechia",
"United Kingdom of Great Britain and Northern Ireland",
"Norway",
"Lithuania",
"Estonia",
"Latvia",
"Poland",
"Germany",
"Canada",
"France",
"Denmark"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Defense",
"Industrial",
"Government"
],
"TLP": "white",
"cloned_from": "63456c2a30b92337ea1670e0",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dtatov00",
"id": "256758",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 493080,
"IPv4": 3458,
"IPv6": 519,
"hostname": 41105,
"URL": 155223,
"CIDR": 5266
},
"indicator_count": 698651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "763 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65f5823b9d7bc6b422256296",
"name": "IOCs Industriales",
"description": "",
"modified": "2024-03-16T11:27:55.808000",
"created": "2024-03-16T11:27:55.808000",
"tags": [
"Nextray",
"cyber security",
"ioc",
"phishing",
"malicious"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Turkey",
"Ukraine",
"Romania",
"Czechia",
"United Kingdom of Great Britain and Northern Ireland",
"Norway",
"Lithuania",
"Estonia",
"Latvia",
"Poland",
"Germany",
"Canada",
"France",
"Denmark"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Defense",
"Industrial",
"Government"
],
"TLP": "white",
"cloned_from": "63456c2a30b92337ea1670e0",
"export_count": 28,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "dtatov00",
"id": "256758",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 493080,
"IPv4": 3458,
"IPv6": 519,
"hostname": 41105,
"URL": 155223,
"CIDR": 5266
},
"indicator_count": 698651,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 45,
"modified_text": "763 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "64dd9c1d76a7807782a691d3",
"name": "IOC's found on my pesonal devices; week starting 08/14/23",
"description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.",
"modified": "2024-02-14T21:44:02.852000",
"created": "2023-08-17T04:03:41.985000",
"tags": [
"o cloexec",
"r procversion",
"cachyos",
"gnu ld",
"gnu binutils",
"microsoft",
"f lockfd",
"cygwin",
"u respfd",
"procselffd13",
"procselffd14",
"x8664",
"uname",
"linux",
"getconf",
"cpus32",
"case",
"m x8664",
"s linux",
"x8664 o",
"z linux",
"z x8664",
"replying",
"timing",
"successfully",
"shift",
"procselffd16",
"empty",
"head",
"dirty",
"found",
"splitting",
"license",
"index",
"kill",
"zfrm",
"argv"
],
"references": [
".ICE-unix",
".org.chromium.Chromium.12ZdF3",
".vbox-mrkd-ipc",
"@tmp",
".org.chromium.Chromium.T2jdbS",
".X11-unix",
"albert_yt_ynb2tftv",
"fish.root",
"20230816_202710-scantemp.b14ff4bc3a",
"plasma-csd-generator.LTvjbT",
"pytest-of-mrkd",
"runtime-root",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp",
".org.chromium.Chromium.coQnti",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg",
"bauh@mrkd",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR",
".org.chromium.Chromium.8GBhMA",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7",
".org.chromium.Chromium.HMzFxo",
"Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c",
"tmp.D4NXyZ3U4J",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s",
"Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f",
"tmp.ziktUZeKXL",
"v8-compile-cache-0",
"tmp90lfbdek",
"tst-bz26353KOtJVp",
"v8-compile-cache-1000",
".X0-lock",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log",
"Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log",
"gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log",
"gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log",
"qtsingleapp-Notifi-4c42-3e8",
"gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log",
"memmemY_2MMv.c",
"gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log",
"qtsingleapp-Notifi-4c42-3e8-lockfile",
"stdbool.hcc0B2j.c",
"strlcatmMvE1V.c",
"qtsingleapp-Octopi-1d88-3e8-lockfile",
"strlcpydb8x03.c",
"stdbool.ht64kj6qw.c",
"qtsingleapp-Octopi-1d88-3e8",
"gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log",
"https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9",
"https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c",
"https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445",
"https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca",
"https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80",
"https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6",
"https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details",
"https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd"
],
"public": 1,
"adversary": "N/A",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "BV:TelegramBot-A\\ [Trj]",
"display_name": "BV:TelegramBot-A\\ [Trj]",
"target": null
},
{
"id": "Ransom:Linux/DarkRadiation.A!MTB",
"display_name": "Ransom:Linux/DarkRadiation.A!MTB",
"target": "/malware/Ransom:Linux/DarkRadiation.A!MTB"
},
{
"id": "SLF:MamacseMacro.A",
"display_name": "SLF:MamacseMacro.A",
"target": null
},
{
"id": "TrojanDownloader:Linux/Morila!MTB",
"display_name": "TrojanDownloader:Linux/Morila!MTB",
"target": "/malware/TrojanDownloader:Linux/Morila!MTB"
},
{
"id": "Backdoor:Win32/R2d2.A",
"display_name": "Backdoor:Win32/R2d2.A",
"target": "/malware/Backdoor:Win32/R2d2.A"
},
{
"id": "Sf:ShellCode-DZ\\ [Trj]",
"display_name": "Sf:ShellCode-DZ\\ [Trj]",
"target": null
},
{
"id": "NETexecutableMicrosoft",
"display_name": "NETexecutableMicrosoft",
"target": null
},
{
"id": "TrojanDropper:Win32/FakeFlexnet.A",
"display_name": "TrojanDropper:Win32/FakeFlexnet.A",
"target": "/malware/TrojanDropper:Win32/FakeFlexnet.A"
},
{
"id": "Delphi",
"display_name": "Delphi",
"target": null
}
],
"attack_ids": [],
"industries": [
"individuals"
],
"TLP": "white",
"cloned_from": null,
"export_count": 33,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Merkd1904",
"id": "196517",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 206,
"domain": 5129,
"FileHash-MD5": 177,
"FileHash-SHA1": 114,
"URL": 646,
"hostname": 2078,
"CVE": 412,
"email": 4
},
"indicator_count": 8766,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 82,
"modified_text": "794 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a9b042961d3e7a6a564d",
"name": "bkp16oct",
"description": "",
"modified": "2023-12-06T17:04:48.880000",
"created": "2023-12-06T17:04:48.880000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1390,
"FileHash-SHA256": 3099,
"hostname": 769,
"FileHash-MD5": 2353,
"FileHash-SHA1": 1624,
"URL": 590,
"email": 26,
"IPv4": 150,
"CIDR": 6
},
"indicator_count": 10007,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 113,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a8b5cae685fce7f5231f",
"name": "bkp oct 10",
"description": "",
"modified": "2023-12-06T17:00:37.687000",
"created": "2023-12-06T17:00:37.687000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1376,
"FileHash-SHA256": 3065,
"hostname": 768,
"FileHash-MD5": 2320,
"FileHash-SHA1": 1591,
"URL": 589,
"email": 26,
"IPv4": 150,
"CIDR": 6
},
"indicator_count": 9891,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a7d02c5746343283fc12",
"name": "bkp5o23",
"description": "",
"modified": "2023-12-06T16:56:48.472000",
"created": "2023-12-06T16:56:48.472000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"FileHash-SHA256": 3021,
"hostname": 764,
"FileHash-MD5": 2278,
"FileHash-SHA1": 1539,
"URL": 589,
"email": 26,
"IPv4": 150,
"CIDR": 6
},
"indicator_count": 9738,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a7aaee2e95f7517277d3",
"name": "bkp03test",
"description": "",
"modified": "2023-12-06T16:56:10.492000",
"created": "2023-12-06T16:56:10.492000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1362,
"FileHash-SHA256": 2891,
"hostname": 755,
"FileHash-MD5": 2159,
"FileHash-SHA1": 1420,
"URL": 589,
"email": 26,
"IPv4": 148,
"CIDR": 6
},
"indicator_count": 9356,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a7a346ec10c12d5b15b5",
"name": "BKPo3",
"description": "",
"modified": "2023-12-06T16:56:03.381000",
"created": "2023-12-06T16:56:03.381000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1362,
"FileHash-SHA256": 2891,
"hostname": 755,
"FileHash-MD5": 2159,
"FileHash-SHA1": 1420,
"URL": 589,
"email": 26,
"IPv4": 148,
"CIDR": 6
},
"indicator_count": 9356,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a756ee3c8ce2314e235a",
"name": "Home Networks",
"description": "",
"modified": "2023-12-06T16:54:46.263000",
"created": "2023-12-06T16:54:46.263000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 290,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2298,
"FileHash-SHA256": 24535,
"FileHash-MD5": 7197,
"URL": 1188,
"hostname": 2636,
"JA3": 2,
"email": 96,
"CVE": 44,
"FileHash-SHA1": 7174
},
"indicator_count": 45170,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 114,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a602c1e9c47280c247e4",
"name": "SOC2023",
"description": "",
"modified": "2023-12-06T16:49:06.159000",
"created": "2023-12-06T16:49:06.159000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1420,
"FileHash-SHA256": 3123,
"hostname": 769,
"FileHash-MD5": 2379,
"FileHash-SHA1": 1642,
"URL": 590,
"email": 26,
"IPv4": 150,
"CIDR": 6
},
"indicator_count": 10105,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a5f81702fdce6c496a1c",
"name": "Undefined Name",
"description": "",
"modified": "2023-12-06T16:48:56.950000",
"created": "2023-12-06T16:48:56.950000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1345,
"FileHash-SHA256": 2819,
"hostname": 741,
"FileHash-MD5": 2106,
"FileHash-SHA1": 1371,
"URL": 571,
"email": 26,
"IPv4": 148,
"CIDR": 6
},
"indicator_count": 9133,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a5a5f6bf793f823e6397",
"name": "Undefined Name",
"description": "",
"modified": "2023-12-06T16:47:33.032000",
"created": "2023-12-06T16:47:33.032000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1345,
"FileHash-SHA256": 2819,
"hostname": 741,
"FileHash-MD5": 2106,
"FileHash-SHA1": 1371,
"URL": 571,
"email": 26,
"IPv4": 148,
"CIDR": 6
},
"indicator_count": 9133,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a581b1024ea61979da96",
"name": "Quasar - Dark Web Instagram Account | Link found | Remote Access Trojan (RAT)",
"description": "",
"modified": "2023-12-06T16:46:57.782000",
"created": "2023-12-06T16:46:57.782000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 3,
"FileHash-SHA256": 5791,
"hostname": 3255,
"domain": 2317,
"FileHash-MD5": 44,
"FileHash-SHA1": 34,
"URL": 11513
},
"indicator_count": 22957,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6570a131970ec6097f14145d",
"name": "SOC BACKUP 30 agosto 23",
"description": "",
"modified": "2023-12-06T16:28:33.117000",
"created": "2023-12-06T16:28:33.117000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2285,
"FileHash-MD5": 1940,
"FileHash-SHA1": 1329,
"domain": 1221,
"URL": 509,
"hostname": 691,
"email": 26,
"IPv4": 148,
"CIDR": 6
},
"indicator_count": 8155,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ffcf3ffe737f8cb8dfd",
"name": "IOC's found on my pesonal devices; week starting 08/14/23",
"description": "",
"modified": "2023-12-06T16:23:24.919000",
"created": "2023-12-06T16:23:24.919000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 103,
"hostname": 524,
"domain": 1292,
"FileHash-SHA256": 95,
"FileHash-MD5": 54,
"FileHash-SHA1": 39,
"URL": 169,
"email": 1
},
"indicator_count": 2277,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709f0bbdd32cb4b343a12f",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:19:23.067000",
"created": "2023-12-06T16:19:23.067000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 13,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2218,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1175,
"hostname": 2514,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 35
},
"indicator_count": 44904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709eee2f74978bd15d60a9",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:18:53.346000",
"created": "2023-12-06T16:18:53.346000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2219,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1175,
"hostname": 2513,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 35
},
"indicator_count": 44904,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ed8415c89746a234d89",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:18:32.627000",
"created": "2023-12-06T16:18:32.627000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2218,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1175,
"hostname": 2513,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 35
},
"indicator_count": 44903,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ebd65cdc059b8e373ef",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:18:05.044000",
"created": "2023-12-06T16:18:05.044000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2218,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1175,
"hostname": 2519,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 36
},
"indicator_count": 44910,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ea58a4b251d0f7aac7b",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:17:41.816000",
"created": "2023-12-06T16:17:41.816000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2221,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1176,
"hostname": 2513,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 37
},
"indicator_count": 44909,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e8b31eda9b13196277a",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:17:15.458000",
"created": "2023-12-06T16:17:15.458000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2222,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1176,
"hostname": 2513,
"JA3": 2,
"email": 83,
"FileHash-SHA1": 7164,
"CVE": 38
},
"indicator_count": 44911,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e736e1768898768814f",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:16:51.265000",
"created": "2023-12-06T16:16:51.265000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2221,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1179,
"hostname": 2521,
"JA3": 2,
"email": 84,
"FileHash-SHA1": 7164,
"CVE": 40
},
"indicator_count": 44924,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709e5d4c59f8ac3f86f615",
"name": "WHO SAV.COM LLC (SOURCEADULT.COM)",
"description": "",
"modified": "2023-12-06T16:16:29.659000",
"created": "2023-12-06T16:16:29.659000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2430,
"FileHash-SHA256": 24526,
"FileHash-MD5": 7187,
"URL": 1331,
"hostname": 2748,
"JA3": 2,
"email": 94,
"CVE": 42,
"FileHash-SHA1": 7164
},
"indicator_count": 45524,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709ded7d8a5ce8dba3444a",
"name": "Who is SHAW.CA (TUSCOW DOMAINS)",
"description": "",
"modified": "2023-12-06T16:14:37.212000",
"created": "2023-12-06T16:14:37.212000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2362,
"FileHash-SHA256": 24578,
"FileHash-MD5": 7241,
"URL": 1216,
"hostname": 2688,
"JA3": 2,
"email": 97,
"CVE": 43,
"FileHash-SHA1": 7217
},
"indicator_count": 45444,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709dd6926a5676de0e2a19",
"name": "Who is SHAW.CA (TUSCOW DOMAINS)",
"description": "",
"modified": "2023-12-06T16:14:13.668000",
"created": "2023-12-06T16:14:13.668000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2427,
"FileHash-SHA256": 24528,
"FileHash-MD5": 7187,
"URL": 1346,
"hostname": 2829,
"JA3": 2,
"email": 99,
"CVE": 43,
"FileHash-SHA1": 7164
},
"indicator_count": 45625,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65709d867a940714a5e7986c",
"name": "soc bkp 20jul23",
"description": "",
"modified": "2023-12-06T16:12:54.283000",
"created": "2023-12-06T16:12:54.283000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1808,
"FileHash-MD5": 1232,
"FileHash-SHA1": 991,
"domain": 1138,
"URL": 431,
"hostname": 546,
"email": 26,
"IPv4": 142,
"CIDR": 6
},
"indicator_count": 6320,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "864 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"Issue! Multiple IoC\u2019s missing.",
"gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log",
"20230816_202710-scantemp.b14ff4bc3a",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log",
"About pulse, found in peripheral.",
"qtsingleapp-Notifi-4c42-3e8-lockfile",
"gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log",
"Researching using an easy powerful tool like this has led to confrontations.",
"gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log",
"v8-compile-cache-0",
"@tmp",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log",
"tmp.ziktUZeKXL",
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f",
"gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log",
"strlcatmMvE1V.c",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7",
"https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9",
"gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log",
"gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log",
".org.chromium.Chromium.12ZdF3",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
".org.chromium.Chromium.8GBhMA",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
"gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log",
"https://tria.ge/251105-yvvzgssldn",
"gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log",
"I did not clone my pulse to read Bit.io",
"gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log",
".X0-lock",
"gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log",
".vbox-mrkd-ipc",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log",
"An earlier version contacted entities affected or affecting targets.",
"gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"fish.root",
".org.chromium.Chromium.T2jdbS",
"gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log",
"Alerts: checks_debugger has_pdb raises_exception",
"gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log",
"Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c",
"v8-compile-cache-1000",
"gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log",
"When your pulse says contacted, who is contacted besides OTX?",
"tst-bz26353KOtJVp",
"bauh@mrkd",
"gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log",
"qtsingleapp-Notifi-4c42-3e8",
"gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log",
"memmemY_2MMv.c",
"gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"plasma-csd-generator.LTvjbT",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log",
"stdbool.ht64kj6qw.c",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj",
"gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"pytest-of-mrkd",
".org.chromium.Chromium.HMzFxo",
"qtsingleapp-Octopi-1d88-3e8",
"gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log",
"ThreatZone - Malicious",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log",
".ICE-unix",
"gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log",
"https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca",
"tmp90lfbdek",
"gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log",
"https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80",
"gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log",
"albert_yt_ynb2tftv",
"gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log",
".X11-unix",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
".org.chromium.Chromium.coQnti",
"gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log",
"https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details",
"com.iobit.MacBooster-3",
"gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log",
"https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c",
"This would be sent in an email but \u2026.",
"runtime-root",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s",
"gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log",
"https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445",
"gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log",
"https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd",
"https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities Source",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"stdbool.hcc0B2j.c",
"gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log",
"tmp.D4NXyZ3U4J",
"Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e",
"Email: chads@ualberta[.]ca",
"systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg",
"gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log",
"gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log",
"gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log",
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"qtsingleapp-Octopi-1d88-3e8-lockfile",
"strlcpydb8x03.c"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"N/A"
],
"malware_families": [
"Tofsee",
"Backdoor:win32/r2d2.a",
"Ransom:linux/darkradiation.a!mtb",
"Virus:win32/floxif.h",
"Bv:telegrambot-a\\ [trj]",
"Trojandropper:win32/fakeflexnet.a",
"Zerobot",
"Other malware",
"Skynet",
"Sf:shellcode-dz\\ [trj]",
"Netexecutablemicrosoft",
"Ransom:win32/cve-2017-0147",
"Backdoor:win32/drixed",
"Cve-2023-22518",
"Trojandownloader:linux/morila!mtb",
"Win.malware.vmprotect-9880726-0",
"Delphi",
"Slf:mamacsemacro.a",
"Exploit:win32/cve-2017-0147",
"#virtool:win32/obfuscator.adb",
"Ransom:win32/blocker.nn!mtb",
"Worm:win32/autorun!atmn",
"Mirai",
"Unix.trojan.mirai-7135937-0",
"Virtool:win32/injector"
],
"industries": [
"Education",
"Industrial",
"Government",
"Individuals",
"Defense",
"Legal",
"Technology"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69ddc6c9f25c71625fb0b9e6",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:47.333000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:36.465000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 10,
"IPv4": 58,
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:32.943000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "10 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6675c61d2a8e4554b9985027",
"name": "BLOCK_2024",
"description": "",
"modified": "2026-02-04T19:03:11.880000",
"created": "2024-06-21T18:27:41.885000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "65e899612f5527bad9d4e5a8",
"export_count": 6857098,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2306,
"FileHash-MD5": 4833,
"URL": 1674,
"hostname": 1302,
"FileHash-SHA256": 6371,
"FileHash-SHA1": 4014,
"IPv4": 3524,
"CIDR": 19,
"email": 190,
"CVE": 4
},
"indicator_count": 24237,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 108,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692f04e9fa3d782118e94aac",
"name": "LevelBlue - Open Threat Exchange - Delete AppDeployed",
"description": "I\u2019m not sure what to think. |\ndeploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev | Are these\npulses being sold or attacked? Christopher P. Ahmann of TAM Legal and his other firms has ALWAYS attacked targets phones and networks. Nothing is too outrageous for this maniac.\n\nHe is responsible for the recent attacks on devices , clouds , google accounts and a flurry of threats. Indicators in recently pulsed reports have been removed. I\u2019ve done my best to restore. \n\nI am also concerned about the safety or legitimacy of this platform.\n\nNo one is ever alerted. Simply calling someone and telling them about the compromises can equate to a big pay day for Level Blue and nothing for the victims of attacks. I need my pulses restored. \n\nIt\u2019s plausible to believe OTX was attacked by an external threat actor.\nAnything is possible when it comes to money.",
"modified": "2026-01-01T15:04:20.907000",
"created": "2025-12-02T15:25:29.158000",
"tags": [
"levelblue",
"open threat",
"dynamicloader",
"tlsv1",
"high",
"msie",
"windows nt",
"delete c",
"fwlink",
"stream",
"powershell",
"write",
"malware",
"local",
"united",
"flag",
"date",
"server",
"crazy egg",
"name server",
"gmt flag",
"domain address",
"markmonitor",
"enom",
"sugges",
"onv incude",
"data upload",
"find s",
"extraction",
"types",
"type",
"indicator",
"click",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"contacted hosts",
"search",
"entries",
"read c",
"medium",
"memcommit",
"tls handshake",
"failure",
"module load",
"next",
"execution",
"dock",
"capture",
"persistence",
"copy",
"unknown",
"suricata alert",
"et info",
"bad traffic",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"t1480 execution",
"file defense",
"write c",
"x02x82",
"xe6x15c6",
"x16f",
"xc0xc0xc0",
"revengerat",
"guard",
"service",
"encrypt",
"entries yara",
"delphi",
"win32",
"jordan",
"delete app"
],
"references": [
"https://otx.alienvault.com/indicator/domain/Tamlegal.com",
"DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform Eziriz",
"endgames.com \u2022 endgames.us \u2022 endgamesystems.com \u2022 http://www.onyx-ware.com/lander",
"deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Vmprotect-9880726-0",
"display_name": "Win.Malware.Vmprotect-9880726-0",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Legal"
],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4624,
"FileHash-SHA256": 2021,
"FileHash-MD5": 51,
"FileHash-SHA1": 20,
"SSLCertFingerprint": 10,
"hostname": 1433,
"domain": 728
},
"indicator_count": 8887,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "107 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "692e8cd886e0bb692e8a9d08",
"name": "Blocker Ransomware affecting Apple and iCloud | Injection",
"description": "Wild! Hackers attack-ack-acking!\nThey\u2019re quite good. Persistent. Angry. \nIt\u2019s the same group of hackers.",
"modified": "2026-01-01T06:01:02.583000",
"created": "2025-12-02T06:53:12.823000",
"tags": [
"url https",
"url http",
"domain",
"fh no",
"ipv4",
"united",
"flag",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"pattern match",
"mitre att",
"ck id",
"ck matrix",
"ascii text",
"href",
"network traffic",
"general",
"local",
"click",
"strings",
"learn",
"name tactics",
"suspicious",
"informative",
"found",
"command",
"adversaries",
"spawns",
"defense evasion",
"dynamicloader",
"windows nt",
"wow64",
"khtml",
"gecko",
"write c",
"unknown",
"virtool",
"write",
"defender",
"malware",
"delete",
"alerts",
"backdoor",
"high",
"ip address",
"t1045",
"packing",
"t1055",
"injection",
"t1060",
"run keys",
"startup",
"folder",
"t1119",
"t1027",
"tools",
"families",
"mirai",
"indicator role",
"active related",
"hackers",
"ahmann",
"usual suspects"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "#VirTool:Win32/Obfuscator.ADB",
"display_name": "#VirTool:Win32/Obfuscator.ADB",
"target": "/malware/#VirTool:Win32/Obfuscator.ADB"
},
{
"id": "Tofsee",
"display_name": "Tofsee",
"target": null
},
{
"id": "Backdoor:Win32/Drixed",
"display_name": "Backdoor:Win32/Drixed",
"target": "/malware/Backdoor:Win32/Drixed"
},
{
"id": "Mirai",
"display_name": "Mirai",
"target": null
},
{
"id": "VirTool:Win32/Injector",
"display_name": "VirTool:Win32/Injector",
"target": "/malware/VirTool:Win32/Injector"
},
{
"id": "Ransom:Win32/Blocker.NN!MTB",
"display_name": "Ransom:Win32/Blocker.NN!MTB",
"target": "/malware/Ransom:Win32/Blocker.NN!MTB"
},
{
"id": "Unix.Trojan.Mirai-7135937-0",
"display_name": "Unix.Trojan.Mirai-7135937-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1470",
"name": "Obtain Device Cloud Backups",
"display_name": "T1470 - Obtain Device Cloud Backups"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1066",
"name": "Indicator Removal from Tools",
"display_name": "T1066 - Indicator Removal from Tools"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1408",
"name": "Disguise Root/Jailbreak Indicators",
"display_name": "T1408 - Disguise Root/Jailbreak Indicators"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
},
{
"id": "T1054",
"name": "Indicator Blocking",
"display_name": "T1054 - Indicator Blocking"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 234,
"FileHash-SHA1": 219,
"FileHash-SHA256": 841,
"URL": 2606,
"domain": 298,
"hostname": 772,
"SSLCertFingerprint": 2,
"CVE": 1
},
"indicator_count": 4973,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "108 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69404b09d8296388596ecfa9",
"name": "BLOCK_2025_DIC",
"description": "",
"modified": "2025-12-24T16:04:11.529000",
"created": "2025-12-15T17:53:13.004000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6675c61d2a8e4554b9985027",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "BLOCKINGBLOCK",
"id": "211480",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 2300,
"FileHash-MD5": 4833,
"URL": 1673,
"hostname": 1297,
"FileHash-SHA256": 6371,
"FileHash-SHA1": 4014,
"IPv4": 3235,
"CIDR": 19,
"email": 170,
"CVE": 4
},
"indicator_count": 23916,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 79,
"modified_text": "115 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "690b39b3cf3cb86d14ccd811",
"name": "VirusTotal Graph - 11.05.25 - UAlberta Insiders",
"description": "I was just looking for a Dark Gate and came across this...hmmmm....\nI enriched on import, vet out and refer to virustotal graph referenced.\nRefer to References below - am unable to get them in. Profiled student group (OSINT) - unclear if potential allies or not.",
"modified": "2025-12-05T11:00:41.797000",
"created": "2025-11-05T11:49:07.495000",
"tags": [
"chadsualberta"
],
"references": [
"https://www.virustotal.com/graph/embed/ge8fc36dfbe1c48cab7c6efb0398cc30cb5aaebda2bf24123bb6a282436cc5bab?theme=dark",
"https://www.filescan.io/uploads/690baf5e85b61a93a738d0d5/reports/ecaf45a2-956f-4d4e-8ebd-00813d966614/ioc",
"ThreatZone - Malicious",
"https://tria.ge/251105-yvvzgssldn",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495",
"https://hybrid-analysis.com/sample/30df68083e80263898ac56e2ef458811cec5fa73b92ad60f14b96ce676a11495/690baf2999a0659ae9046188",
"Email: chads@ualberta[.]ca"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Education",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 120,
"FileHash-SHA1": 120,
"FileHash-SHA256": 1809,
"URL": 603,
"domain": 396,
"hostname": 514
},
"indicator_count": 3562,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "135 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68d37e35f99d852d38beb769",
"name": "Cryptex Port Key \u2022 RedLine Stealer affects Threat Research Platform/s",
"description": "#attack? #honeypot?",
"modified": "2025-10-24T04:02:54.218000",
"created": "2025-09-24T05:14:28.101000",
"tags": [
"x00x00n",
"memcommit",
"regopenkeyexw",
"regsz",
"else",
"ipnnoysrdi tr",
"writeconsolew",
"cryptexportkey",
"invalid pointer",
"x1ex00x00n",
"redline stealer",
"service",
"powershell",
"tools",
"persistence",
"execution",
"dock",
"write",
"updater",
"malware",
"passive dns",
"urls",
"url add",
"ip address",
"related nids",
"files location",
"hong kong",
"united",
"present jul",
"present dec",
"search",
"present may",
"a domains",
"name servers",
"unknown aaaa",
"trojan",
"present jan",
"present sep",
"moved",
"title",
"span td",
"td td",
"tr tr",
"a li",
"ipv4 internet",
"span",
"meta",
"gmt content",
"ipv4 add",
"reverse dns",
"trojanx",
"location hong kong",
"software",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"spawns",
"development att",
"ascii text",
"pattern match",
"mitre att",
"ck matrix",
"sha1",
"odigicert inc",
"network traffic",
"general",
"local",
"path",
"encrypt",
"copy md5",
"copy sha1",
"copy sha256",
"sha256",
"size",
"crlf line",
"urlhttps",
"extracted files",
"acquires",
"networking",
"readiness"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1081",
"name": "Credentials in Files",
"display_name": "T1081 - Credentials in Files"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1086",
"name": "PowerShell",
"display_name": "T1086 - PowerShell"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 150,
"FileHash-SHA1": 148,
"FileHash-SHA256": 3059,
"domain": 1277,
"URL": 4166,
"hostname": 1251,
"SSLCertFingerprint": 10,
"email": 1
},
"indicator_count": 10062,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "177 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "git-api.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "git-api.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776596620.232568
}