{ "type": "Domain", "indicator": "github.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/github.dev", "alexa": "http://www.alexa.com/siteinfo/github.dev", "indicator": "github.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3351107899, "indicator": "github.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68a3afba4c6ae03cea4633e7", "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew [by privacynotacrime]", "description": "", "modified": "2025-11-20T00:56:28.210000", "created": "2025-08-18T22:56:58.617000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14786, "CIDR": 3, "FileHash-MD5": 2, "domain": 8084, "email": 1, "hostname": 9967, "FileHash-SHA256": 5018, "CVE": 1, "IPv4": 10 }, "indicator_count": 37872, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d3caa9524bb6b5460615f3", "name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms", "description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github", "modified": "2025-10-24T10:01:25.310000", "created": "2025-09-24T10:40:40.987000", "tags": [ "text drag", "browse to", "select file", "or drop", "yara detections", "runlevel", "av detections", "ids detections", "alerts", "analysis date", "inject", "stncphpphp more", "virustotal api", "comments", "related tags", "passive dns", "republic", "ipv4 add", "location korea", "korea", "asn as9318", "dns resolutions", "pulses otx", "close", "dynamicloader", "backdoor", "tgt session", "reads", "dynamic", "write", "chopper", "pho exploit", "backdoor", "fireeye", "low risk", "drop", "create snapshot", "hangover_appinbot", "kns dropper", "self", "md5 sha256", "google safe", "browsing", "server response", "response code", "vary", "mimikatz", "silence malware", "trojanagent", "legacy", "password", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "defense evasion", "spawns", "copy md5", "copy sha1", "copy sha256", "selection", "ascii text", "crlf line", "windir", "openurl c", "appearance code", "password", "urlhttps", "username", "flag", "united", "markmonitor", "github", "server", "date", "click", "apt 1", "high", "read c", "search", "medium", "show", "windows", "cmd c", "ms windows", "next", "copy", "ver", "businesseconomy" ], "references": [ "Files", "Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab", "Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,", "Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader", "Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile", "Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd", "Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal", "Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland" ], "malware_families": [ { "id": "Php.Exploit.C99-27", "display_name": "Php.Exploit.C99-27", "target": null }, { "id": "Backdoor:ASP/Chopper.F!dha", "display_name": "Backdoor:ASP/Chopper.F!dha", "target": "/malware/Backdoor:ASP/Chopper.F!dha" }, { "id": "Legacy.Trojan.Agent-37025", "display_name": "Legacy.Trojan.Agent-37025", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 87, "FileHash-SHA1": 84, "FileHash-SHA256": 1049, "URL": 1688, "hostname": 544, "email": 5, "domain": 292, "CVE": 2 }, "indicator_count": 3751, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660afeb0c9812049de87dec1", "name": "hxxps://github[.]com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "description": "hxxps://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n\nSomething I figured worth looking into - present on several University of Alberta documents on devices sampled from several labs\n\nIOCs (04.01.24): parsed using IOC parser on IOCs (behavioral) derived from: Tri.age Analysis: https://tria.ge/240401-v8bafsaf71/behavioral1 and Hybrid Analysis: http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9\n-IOCs submitted to URLscan.io\nUpdate: 09.27.24 -> Present in a word document on Uni Computers (All)", "modified": "2025-09-06T17:02:07.070000", "created": "2024-04-01T18:36:32.583000", "tags": [ "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha256", "sha1", "sha512", "prefetch1", "iocs", "suspicious use", "prefetch8", "ck v13", "monitor", "general", "config", "copy", "target", "score", "entity", "domain", "ipv6", "mitreatt", "macaddress", "filename" ], "references": [ "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 105, "FileHash-SHA256": 495, "URL": 613, "hostname": 109, "CVE": 4, "domain": 122, "email": 10 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c257c4178a74335a9eb520", "name": "Test Pawn Storm", "description": "Description Test", "modified": "2024-04-18T18:00:09.467000", "created": "2024-02-06T16:01:08.781000", "tags": [ "information stealer", "cve-2023-23397", "test2", "test3", "test4", "test5" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt" ], "public": 1, "adversary": "Test Adversary2", "targeted_countries": [ "United States of America", "Central African Republic", "Taiwan", "Afghanistan", "\u00c5land Islands" ], "malware_families": [ { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": "#AGGR:AutoIt/Banload", "display_name": "#AGGR:AutoIt/Banload", "target": "/malware/#AGGR:AutoIt/Banload" }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" } ], "industries": [ "Defense", "Energy", "Transportation", "Finance", "Chemical", "Aerospace", "Construction" ], "TLP": "white", "cloned_from": "65c2068e125ab9c038a7f362", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jpattotx2", "id": "225675", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 16, "FileHash-SHA256": 20, "domain": 189, "hostname": 1482, "YARA": 1, "URL": 23 }, "indicator_count": 1754, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657091100e9f5aa6eb534fb4", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "", "modified": "2023-12-06T15:19:44.839000", "created": "2023-12-06T15:19:44.839000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "domain": 2723, "URL": 442 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ef13ad6547ed183dba3f3c", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "see im reading that domain as bro ca project", "modified": "2022-08-07T01:21:49.761000", "created": "2022-08-07T01:21:49.761000", "tags": [ "strong", "github", "jump", "github desktop", "sign", "iosrulescript", "quantumult", "boxjs", "chouchoui", "code issues", "contact", "star", "desktop", "stars", "footer", "view", "pull", "wiki security", "unicode", "copy", "wegare123vmt", "phoenix", "jquery", "discord", "ruby", "chinaz", "startpage" ], "references": [ "geosite.dat.html", "https://github.com/blackmatrix7/ios_rule_script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "URL": 442, "domain": 2723 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader", "https://github.com/blackmatrix7/ios_rule_script", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile", "https://securityaffairs.com/", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "Multiple other undocumented malware", "geosite.dat.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal", "Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt", "Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd", "Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "Files", "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Test Adversary2", "Government", "Hoc Working" ], "malware_families": [ "#lowfi:siga:trojandownloader:msil/genmaldow", "Alf:html/phishing", "Php.exploit.c99-27", "Trojan:js/berbew", "Graphite (pegasus variant)", "Paragon (pegasus variant)", "Pegasus for mac", "Ver", "\"prepending (enc) ransomware\" (not an official name)", "Backdoor:win32/berbew", "Immortal stealer", "Pegasus for android - s0316", "Starfighter (javascript)", "Androrat - mob-s0008", "#powershell:encodedcommand", "Tel:spyware:androidos/spymax", "Careto", "Zeroaccess - s0027", "#lowfi:hstr:win32/mediadownloader", "Backdoor:asp/chopper.f!dha", "!#lowfiwritemzinunusualextension", "Mirai (windows)", "Alf:heraklezeval:trojan:win32/salgorea!rfn", "Backdoor:win32/dnsdoor", ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "#aggr:autoit/banload", "Alf:backdoor:java/webshell", "Pegasus rdp module for windows", "Pegasus for android - mob-s0032", "#lowfitrojan:html/iframe", "Html smuggling", "Pws:win32/ymacco.aa50", "!#addscopytostartup", "Googledrive rat", "Xloader for ios - s0490", "Alf:backdoor:powershell/reverseshell", "Skynet", "Trojandownloader:linux/mirai", "#hstr:hacktool:win32/remoteshell", "Cve-2023-27997", "#lowfi:exploit:java/cve-2012-0507", "Backdoor:win32/mirai", "Trojan:js/dnschanger", "Legacy.trojan.agent-37025", "Trojan:win32/qqpass", "Backdoor:linux/mirai", "Samsung", "Dnspionage", "Pegasus for ios - s0289", "Cve-2025-42957", "Ddos:linux/mirai", "#lowfi:hstr:browsermodifier:consentbypass" ], "industries": [ "Civilians", "Civil", "Government", "Finance", "Healthcare", "Critical infrastructure", "Technology", "Energy", "Transportation", "Chemical", "Aerospace", "People", "Construction", "Defense", "Education", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68a3afba4c6ae03cea4633e7", "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew [by privacynotacrime]", "description": "", "modified": "2025-11-20T00:56:28.210000", "created": "2025-08-18T22:56:58.617000", "tags": [ "Spyware", "Trojan", "Pegasus", "DNS", "Graphite", "Paragon", "NSO", "NSO Group", "Security", "Samsung", "Google", "Amazon", "HP", "Cloudflare", "Endgame", "Europe", "Espionage", "Malware", "Campaign", "Civil", "People", "Civilians", "Crime", "Hackers", "Sony", "Wix", "Mobileye", "Skynet", "Android", "iOS", "Mac", "Windows", "Microsoft", "Linux", "Mirai", "Berbew", "Trojan Downloader", "html_smuggling", "FormBook", "stealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Denmark", "Finland", "Germany", "Ireland", "Lithuania", "Spain", "Poland", "Romania", "United Arab Emirates", "Ukraine", "Taiwan", "Sweden", "Norway", "Luxembourg" ], "malware_families": [ { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Pegasus for iOS - S0289", "display_name": "Pegasus for iOS - S0289", "target": null }, { "id": "Skynet", "display_name": "Skynet", "target": null }, { "id": "Graphite (Pegasus variant)", "display_name": "Graphite (Pegasus variant)", "target": null }, { "id": "Paragon (Pegasus variant)", "display_name": "Paragon (Pegasus variant)", "target": null }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "ALF:Backdoor:PowerShell/ReverseShell", "display_name": "ALF:Backdoor:PowerShell/ReverseShell", "target": null }, { "id": "Pegasus for Mac", "display_name": "Pegasus for Mac", "target": null }, { "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow", "target": null }, { "id": "XLoader for iOS - S0490", "display_name": "XLoader for iOS - S0490", "target": null }, { "id": "Starfighter (Javascript)", "display_name": "Starfighter (Javascript)", "target": null }, { "id": "Careto", "display_name": "Careto", "target": null }, { "id": "#Lowfi:Exploit:Java/CVE-2012-0507", "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507", "target": null }, { "id": "Zeroaccess - S0027", "display_name": "Zeroaccess - S0027", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null }, { "id": "#LowfiTrojan:HTML/Iframe", "display_name": "#LowfiTrojan:HTML/Iframe", "target": "/malware/#LowfiTrojan:HTML/Iframe" }, { "id": "HTML Smuggling", "display_name": "HTML Smuggling", "target": null }, { "id": "ALF:HTML/Phishing", "display_name": "ALF:HTML/Phishing", "target": "/malware/ALF:HTML/Phishing" }, { "id": "Pegasus RDP module for Windows", "display_name": "Pegasus RDP module for Windows", "target": null }, { "id": "#Lowfi:HSTR:Win32/MediaDownloader", "display_name": "#Lowfi:HSTR:Win32/MediaDownloader", "target": null } ], "attack_ids": [ { "id": "T1218.001", "name": "Compiled HTML File", "display_name": "T1218.001 - Compiled HTML File" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1454", "name": "Malicious SMS Message", "display_name": "T1454 - Malicious SMS Message" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1563.002", "name": "RDP Hijacking", "display_name": "T1563.002 - RDP Hijacking" }, { "id": "T1019", "name": "System Firmware", "display_name": "T1019 - System Firmware" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" } ], "industries": [ "Civil", "People", "Civilians" ], "TLP": "green", "cloned_from": "687992eceac6f12e9cebd65f", "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14786, "CIDR": 3, "FileHash-MD5": 2, "domain": 8084, "email": 1, "hostname": 9967, "FileHash-SHA256": 5018, "CVE": 1, "IPv4": 10 }, "indicator_count": 37872, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d3caa9524bb6b5460615f3", "name": "Legacy.Trojan affects threat researchers networks & portals and/or platforms", "description": "Legacy.Trojan affects threat researchers networks & portals and/or platforms or via platforms as a medium.\n[otx auto populated: Adversaries may be able to gain access to a victim's network through a range of techniques, as well as using a variety of other techniques to evade detection and detection.]\n#honeypot #capture #advesaries #fireeye #github", "modified": "2025-10-24T10:01:25.310000", "created": "2025-09-24T10:40:40.987000", "tags": [ "text drag", "browse to", "select file", "or drop", "yara detections", "runlevel", "av detections", "ids detections", "alerts", "analysis date", "inject", "stncphpphp more", "virustotal api", "comments", "related tags", "passive dns", "republic", "ipv4 add", "location korea", "korea", "asn as9318", "dns resolutions", "pulses otx", "close", "dynamicloader", "backdoor", "tgt session", "reads", "dynamic", "write", "chopper", "pho exploit", "backdoor", "fireeye", "low risk", "drop", "create snapshot", "hangover_appinbot", "kns dropper", "self", "md5 sha256", "google safe", "browsing", "server response", "response code", "vary", "mimikatz", "silence malware", "trojanagent", "legacy", "password", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "initial access", "defense evasion", "spawns", "copy md5", "copy sha1", "copy sha256", "selection", "ascii text", "crlf line", "windir", "openurl c", "appearance code", "password", "urlhttps", "username", "flag", "united", "markmonitor", "github", "server", "date", "click", "apt 1", "high", "read c", "search", "medium", "show", "windows", "cmd c", "ms windows", "next", "copy", "ver", "businesseconomy" ], "references": [ "Files", "Yara : KINS_dropper , apt_win_mutex_apt1 , Hangover_Fuddol , Hangover_Tymtin_Degrab", "Yara: Hangover_Smackdown_various , Hangover_Foler , Hangover_UpdateEx ,", "Yara: Hangover_Smackdown_Downloader , Hangover_Vacrhan_Downloader", "Yara: HKTL_NATBypass_Dec22_1 , power_pe_injection , Mimikatz_Logfile", "Yara: Mimikatz_Strings , Silence_malware_2 , EquationGroup_elgingamble , EquationGroup_cmsd", "Yara: EquationGroup_ebbshave , EquationGroup_eggbasket , EquationGroup_sambal", "Yara: Mimikatz_Logfile SID : * NTLM : Authentication Id : wdigest : Mimikatz_Strings sekurlsa::logonpasswords" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ireland" ], "malware_families": [ { "id": "Php.Exploit.C99-27", "display_name": "Php.Exploit.C99-27", "target": null }, { "id": "Backdoor:ASP/Chopper.F!dha", "display_name": "Backdoor:ASP/Chopper.F!dha", "target": "/malware/Backdoor:ASP/Chopper.F!dha" }, { "id": "Legacy.Trojan.Agent-37025", "display_name": "Legacy.Trojan.Agent-37025", "target": null }, { "id": "Ver", "display_name": "Ver", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 87, "FileHash-SHA1": 84, "FileHash-SHA256": 1049, "URL": 1688, "hostname": 544, "email": 5, "domain": 292, "CVE": 2 }, "indicator_count": 3751, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660afeb0c9812049de87dec1", "name": "hxxps://github[.]com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "description": "hxxps://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n\nSomething I figured worth looking into - present on several University of Alberta documents on devices sampled from several labs\n\nIOCs (04.01.24): parsed using IOC parser on IOCs (behavioral) derived from: Tri.age Analysis: https://tria.ge/240401-v8bafsaf71/behavioral1 and Hybrid Analysis: http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9\n-IOCs submitted to URLscan.io\nUpdate: 09.27.24 -> Present in a word document on Uni Computers (All)", "modified": "2025-09-06T17:02:07.070000", "created": "2024-04-01T18:36:32.583000", "tags": [ "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha256", "sha1", "sha512", "prefetch1", "iocs", "suspicious use", "prefetch8", "ck v13", "monitor", "general", "config", "copy", "target", "score", "entity", "domain", "ipv6", "mitreatt", "macaddress", "filename" ], "references": [ "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 105, "FileHash-SHA256": 495, "URL": 613, "hostname": 109, "CVE": 4, "domain": 122, "email": 10 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebfc921491771b15be63e3", "name": "CnC Spyware | Pegasus Related | Ciberespionage Campaign | Skynet | Samsung | Google | DNS Hijacking", "description": "Presume ser una campa\u00f1a de ciberespionaje orquestada por una organizaci\u00f3n gubernamental, dirigida hacia m\u00faltiples objetivos individuales (civiles) que consideran sospechosos. El software utilizado es similar a Pegasus, Skynet, Graphite para dispositivos Android y Mirai, Emotet, Berbew para dispositivos Linux y Windows. Los \"modus operandi\" abarcan m\u00faltiples tipos de ataques en los que participan ISP's y empresas grandes como Google. La propagaci\u00f3n de malware se realiza a trav\u00e9s de SMS con un enlace que dirige a una web con un exploit de d\u00eda cero, o tambi\u00e9n al abrir un PDF malicioso con las mismas caracter\u00edsticas. La ingenier\u00eda social juega un papel fundamental en este tipo de ataques. El tr\u00e1fico parece ser enmascarado en DNS 8.8.8.8 para no ser detectado.", "modified": "2025-05-05T16:00:41.799000", "created": "2025-04-01T14:47:46.507000", "tags": [ "Government", "Pegasus", "Graphite", "Skynet", "Malware", "Campaign", "Samsung", "Android", "Unix", "Linux", "Browser", "Windows", "Zeroday", "Trojan" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "Spain", "United States of America" ], "malware_families": [ { "id": "Pegasus for Android - S0316", "display_name": "Pegasus for Android - S0316", "target": null }, { "id": "Pegasus for Android - MOB-S0032", "display_name": "Pegasus for Android - MOB-S0032", "target": null }, { "id": "Backdoor:Win32/Mirai", "display_name": "Backdoor:Win32/Mirai", "target": "/malware/Backdoor:Win32/Mirai" }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "TrojanDownloader:Linux/Mirai", "display_name": "TrojanDownloader:Linux/Mirai", "target": "/malware/TrojanDownloader:Linux/Mirai" }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "TEL:Spyware:AndroidOS/SpyMax", "display_name": "TEL:Spyware:AndroidOS/SpyMax", "target": null }, { "id": "AndroRAT - MOB-S0008", "display_name": "AndroRAT - MOB-S0008", "target": null }, { "id": "Samsung", "display_name": "Samsung", "target": null }, { "id": "GoogleDrive RAT", "display_name": "GoogleDrive RAT", "target": null }, { "id": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "display_name": "#Lowfi:HSTR:BrowserModifier:ConsentBypass", "target": null }, { "id": "Backdoor:Win32/DnsDoor", "display_name": "Backdoor:Win32/DnsDoor", "target": "/malware/Backdoor:Win32/DnsDoor" }, { "id": "DNSpionage", "display_name": "DNSpionage", "target": null }, { "id": "Trojan:JS/DNSChanger", "display_name": "Trojan:JS/DNSChanger", "target": "/malware/Trojan:JS/DNSChanger" }, { "id": "#PowerShell:EncodedCommand", "display_name": "#PowerShell:EncodedCommand", "target": null }, { "id": "ALF:Backdoor:JAVA/Webshell", "display_name": "ALF:Backdoor:JAVA/Webshell", "target": null }, { "id": "#HSTR:HackTool:Win32/RemoteShell", "display_name": "#HSTR:HackTool:Win32/RemoteShell", "target": null } ], "attack_ids": [ { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1596.004", "name": "CDNs", "display_name": "T1596.004 - CDNs" }, { "id": "T1590.002", "name": "DNS", "display_name": "T1590.002 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" } ], "industries": [ "Government", "Civil", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "depdgaus", "id": "315837", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3592, "domain": 712, "hostname": 1246, "FileHash-SHA256": 900 }, "indicator_count": 6450, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c257c4178a74335a9eb520", "name": "Test Pawn Storm", "description": "Description Test", "modified": "2024-04-18T18:00:09.467000", "created": "2024-02-06T16:01:08.781000", "tags": [ "information stealer", "cve-2023-23397", "test2", "test3", "test4", "test5" ], "references": [ "https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/l/pawn-storm-uses-brute-force-and-stealth-against-high-value-targets-/iocs-pawn-storm-uses-brute-force-and-stealth-against-high-value-targets.txt" ], "public": 1, "adversary": "Test Adversary2", "targeted_countries": [ "United States of America", "Central African Republic", "Taiwan", "Afghanistan", "\u00c5land Islands" ], "malware_families": [ { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": "#AGGR:AutoIt/Banload", "display_name": "#AGGR:AutoIt/Banload", "target": "/malware/#AGGR:AutoIt/Banload" }, { "id": "Immortal Stealer", "display_name": "Immortal Stealer", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1001.001", "name": "Junk Data", "display_name": "T1001.001 - Junk Data" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" } ], "industries": [ "Defense", "Energy", "Transportation", "Finance", "Chemical", "Aerospace", "Construction" ], "TLP": "white", "cloned_from": "65c2068e125ab9c038a7f362", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jpattotx2", "id": "225675", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 18, "FileHash-SHA1": 16, "FileHash-SHA256": 20, "domain": 189, "hostname": 1482, "YARA": 1, "URL": 23 }, "indicator_count": 1754, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657091100e9f5aa6eb534fb4", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "", "modified": "2023-12-06T15:19:44.839000", "created": "2023-12-06T15:19:44.839000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "domain": 2723, "URL": 442 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ef13ad6547ed183dba3f3c", "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub - brocaproject.com - hmmm cert ca issue", "description": "see im reading that domain as bro ca project", "modified": "2022-08-07T01:21:49.761000", "created": "2022-08-07T01:21:49.761000", "tags": [ "strong", "github", "jump", "github desktop", "sign", "iosrulescript", "quantumult", "boxjs", "chouchoui", "code issues", "contact", "star", "desktop", "stars", "footer", "view", "pull", "wiki security", "unicode", "copy", "wegare123vmt", "phoenix", "jquery", "discord", "ruby", "chinaz", "startpage" ], "references": [ "geosite.dat.html", "https://github.com/blackmatrix7/ios_rule_script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2410, "hostname": 3653, "URL": 442, "domain": 2723 }, "indicator_count": 9228, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "github.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "github.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776638191.6141794 }