{ "type": "Domain", "indicator": "gotoresolve.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gotoresolve.com", "alexa": "http://www.alexa.com/siteinfo/gotoresolve.com", "indicator": "gotoresolve.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3159436635, "indicator": "gotoresolve.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "13 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "to act as their human-controlled, \"living off the land\" command station.", "https://cdn.console.gotoresolve.com/applet", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "Amazonaws.com \u2022 Amazon.com", "http://www.endgamesystems.com/", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "http://watchhers.net/index.php", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "firebaseremoteconfig.googleapis.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "Running webserver Running WordPress Running Drupal", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "Yara Detections: is__elf", "remoteexecution-runner-api.services.gotoresolve.com", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "http://pickyhot.disqus.com/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "by pulling its primary files over public SMB shares.", "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "http://wg41xm05b3.endgamesystems.com/", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://pickyhot.disqus.com/tsara-brashears", "Change all credentials from a separate, clean network.", "https://www.endgames.us \u2022 https://www.endgames.us/", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "https://www.teslarati.com/tesla-hackers", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "www.endgame.com", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "If possible: Move to Switzerland", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "Requires further research", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "appleremotesupport.com \u2022 remotelyanywhere.com", "Matches rule SURICATA Applayer Detect protocol only one direction", "http://212.33.237.86/images/1/report.php", "Names: testpaging upof6w.exe", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Immediate Recommendations: Disconnect all routers and isolate the network.", "All tags auto populated including\u2019 Elon Musk\u2019", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "Because LogMeIn is a legitimate remote management tool used by actual IT departments," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Tesla Hackers" ], "malware_families": [ "Trojan.systembc/yxgdgz", "Synacktiv", "Mofksys", "Alf:trojan:win32/cassini_6d4ebdc9!ibt", "Trojanspy:win32/nivdort.cw", "Ransom:win32/crowti.a", "Tesla hackers", "Win.downloader.nemucod-6769668-0", "Win.trojan.gh0strat-9955419-1", "Win.trojan.hupigon-6989556-0", "Win.malware.jaik-9968280-0", "Trojandownloader:js/swabfex.p", "Trojandropper:win32/cutwail.gen!k", "Other malware", "Sova", "Doc.downloader.emotetred02220-9938909-0" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a1b57af6e1986d0628bca12", "name": "SystemBC RAT, Quant Loader, and LogMeIn.com, combined to execute a multi-stage Corporate Styled Network Intrusion", "description": "\"Living off the Land\" Takeover (LogMeIn.com)\u201c\nINCIDENT REPORT: HIGH-VALUE TARGET NETWORK INTRUSION Threat Profile: Human-operated corporate-grade attack chain targeting an isolated device.Vector: Local network exposure (compromised router/neighboring device) or physical media (USB).Attack Chain Stages:Quant Script: Obfuscated entry file bypassing network filters.SystemBC RAT: Creates a silent, persistent SOCKS5/Tor tunnel for attacker commands.LogMeIn Abuse: Attackers use legitimate remote software to control the device undetected.Crowti (CryptoWall): Final ransomware payload to encrypt high-value data.Key Observations: Because the target device lacked direct internet access, adversaries are actively abusing the local network infrastructure or physical proximity to bridge the gap. \n\nI\u2019m open to other opinions regarding this report. I have been unwell and my thinking has been unclear and even off as I focus on getting well.\nThank you.", "modified": "2026-05-30T21:33:35.237000", "created": "2026-05-30T21:33:35.237000", "tags": [ "united", "unknown aaaa", "servers", "certificate", "urls", "logmein", "ipv4", "url analysis", "files", "america flag", "level", "data upload", "extraction", "failed", "enter sc", "extri data", "include review", "stop typ", "domain don", "united states", "america asn", "net20525119201", "amazon data", "net20525119202", "address range", "cidr", "network name", "allocation type", "whois server", "entity adsn1", "handle", "sc data", "netherlands asn", "as204601 zomro", "dns resolutions", "log id", "gmtn", "timestamp", "tls web", "expiresfri", "path", "httponly", "salford", "sectigo limited", "sectigo rsa", "accept", "organization", "false", "authentication", "ocsp", "c179044d", "b89a", "d4n timestamp", "df9b", "post na", "lredmond", "stwa", "cnmicrosoft tls", "g2 rsa", "ca ocsp", "rmm domain", "search", "flashpix", "write", "unknown", "malware", "encrypt", "high", "medium", "write c", "template", "registers", "moved", "record value", "tls sni", "observed rmm", "omicrosoft", "stwashington", "server ca", "extr data", "error", "a50 data", "pattern match", "ascii text", "mitre att", "ck id", "general", "local", "click", "strings", "u extractio", "extrac data", "learn", "command", "name tactics", "suspicious", "informative", "adversaries", "spawns", "signing defense", "discovery att", "code signing", "defense evasion", "t1480.002", "mrasn", "cachecontrol", "connection", "date tue", "gmt etag", "self", "etag w/\"leknjhepnj99sn\"", "name servers", "extre data", "observed dns", "query", "show", "localsm05208304", "localsm03520304", "title error", "all ipv4", "reverse dns", "as14618", "extraction data", "creato touc", "digice rsa", "sh certific", "hid iv", "trojandropper", "backdoor", "present may", "please", "x msedge", "exploit", "as8068", "av detection", "ratio", "ids detections", "content length", "content type", "x powered", "asn as16509", "x vercel", "vercel", "gmt content", "ransom", "dynamicloader", "msie", "windows nt", "wow64", "slcc2", "media center", "sysv", "buildid", "germany as8560", "yara detections", "contacted", "elf", "filehash", "av detections", "alerts", "analysis date", "file score", "low risk", "elf executable", "exec amd6464", "linux", "elf64 operation", "unix", "compiler", "elf info", "progbits", "offset size", "flags", "null", "hashes o", "get http", "post http", "entries", "trojan", "pegasus", "apple", "amazonaws", "smtp", "self-delete", "service-scan", "applayer", "madagascar", "qnapcrypt", "mal_elf_systembc_rat", "rat", "hacktool code", "systembc", "t1064", "create", "modify system", "process", "t1543 privile", "ta0004 cr", "t1543", "creation date", "whois show", "emails", "name logmein", "org logmein", "summer st", "date hash", "avast avg", "mtb jul", "k jun", "ai", "ai report", "appleremotesupport", "remotelyanywhere", "pegasus related" ], "references": [ "https://www.logmein.com/products/resolve \u2022 http://devices-iot.console.gotoresolve.com/", "https://adservice.google.com.uy/clk \u2022 adservice.google.com.uy", "Amazonaws.com \u2022 Amazon.com", "screenmaxxxing.com \u2022 wiki.xxkcamffk.cc \u2022 playfoundermode.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 www.anyxxxtube.net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "103.246.145.111 \u2022 http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel", "13.107.226.70 \u2022 13.107.253.70 - Malware Hosting", "http://212.33.237.86/images/1/report.php", "http://watchhers.net/index.php", "remoteexecution-runner-api.services.gotoresolve.com", "firebaseremoteconfig.googleapis.com", "alerts-frontend-api-fd-stage.services-stage.gotoresolve.com", "alerts-monitor-api-fd-prodeu.services.gotoresolve.com", "testpaging SHA256 756f0b598741a6fdff640a158b6b490472e546d411da2850836b9a8ca76afdc1", "Yara Detections: is__elf", "IP\u2019s Contacted: 104.17.118.12 57.144.248.1 176.114.120.24 80.12.24.14 95.163.61.73 142.251.98.113 212.227.17.162 77.88.44.55 142.93.142.17 104.18.14.206", "Domains Contacted: checkip.amazonaws.com vk.com arena.ai www.yandex.ru stripchat.com", "Names: testpaging upof6w.exe", "Names: 2026-04-07_259af8b0d0bc540384a06bb730cee9cd_qnapcrypt ELF Info", "https://cdn.console.gotoresolve.com/applet", "Crowdsourced Signa: Matches rule Suspicious Outbound SMTP", "Suspicious DNS Query for IP post), Thomas Patzke Lookup Service APls by Brandon George (blog Crowdsourced)", "Crowdsourced IDS: Matches rule ET DROP Spamhaus DROP Listed Traffic Inbound group 60", "Matches rule ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)", "Matches rule ET INFO External IP Check (checkip .amazonaws .com)", "ET HUNTING Suspicious User-Agent Observed (Mozilla/5.0 (Windows NT XX.X Win64 x64) AppleWebKit/XXX.XX)", "Matches rule SURICATA Applayer Detect protocol only one direction", "SystemBC to map the backend network secretly, and a hijacked or fraudulent LogMeIn account ->", "to act as their human-controlled, \"living off the land\" command station.", "Attack ChainThreat actors chain these three specific components together to bypass traditional ->", "security filters:[Quant Script (Initial Drop)] \u2794 [SystemBC (SOCKS5/Tor Tunnel)] \u2794", "[LogMeIn.com (Legitimate Remote Access)] \u2794 [Ransomware]", "RaaS attack designed to deploy ransomware against \u2018high value\u2019 targets or corporations.", "In this specific attack chain, the threat actors use the Quant Loader script for initial entry,", "The Entry Vector (Quant Loader): A user interacts with a phishing link or malicious archive file.", "An obfuscated Quant Loader script runs natively in the background, evading anti-malware detection", "by pulling its primary files over public SMB shares.", "The Persistent Backdoor (SystemBC RAT): Quant Loader downloads and executes SystemBC.", "SystemBC sets up a scheduled task to stay persistent and opens a stealthy SOCKS5 proxy or Tor network tunnel.", "This lets the threat actor route malicious command traffic into the local corporate network undetected.", "Once inside the network, attackers avoid deploying more loud hacking tools & Download or abuse LogMeIn[.]com software.", "Because LogMeIn is a legitimate remote management tool used by actual IT departments,", "its outbound traffic to logmein.com domains looks completely normal to firewalls.", "The Objective: The hackers use the trusted LogMeIn connection to freely move laterally, steal data, turn off local security defenses, and deploy network-wide ransomware", "remoteexecution-runner-api.services.gotoresolve.com\t\u2022 appleremotesupport.com\t\u2022", "firebaseremoteconfig.googleapis.com \u2022 remoteexecution-runner-api.services.gotoresolve.com", "remotelyanywhere.com \u2022,http://watchhers.net/index.php \u2022 firebaseremoteconfig.googleapis.com", "appleremotesupport.com \u2022 remotelyanywhere.com", "Immediate Recommendations: Disconnect all routers and isolate the network.", "Air-gap the target device (disable Wi-Fi, pull cables). Expensive : Dispose of all devices.", "Change all credentials from a separate, clean network.", "If possible: Move to Switzerland" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Trojan.Systembc/yxgdgz", "display_name": "Trojan.Systembc/yxgdgz", "target": null }, { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "TrojanDownloader:JS/Swabfex.P", "display_name": "TrojanDownloader:JS/Swabfex.P", "target": "/malware/TrojanDownloader:JS/Swabfex.P" }, { "id": "Win.Downloader.Nemucod-6769668-0", "display_name": "Win.Downloader.Nemucod-6769668-0", "target": null }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/Cutwail.gen!K", "display_name": "TrojanDropper:Win32/Cutwail.gen!K", "target": "/malware/TrojanDropper:Win32/Cutwail.gen!K" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win.Trojan.Hupigon-6989556-0", "display_name": "Win.Trojan.Hupigon-6989556-0", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 275, "FileHash-SHA1": 243, "FileHash-SHA256": 1320, "URL": 897, "domain": 796, "email": 7, "hostname": 783, "IPv4": 446, "CIDR": 2, "SSLCertFingerprint": 33 }, "indicator_count": 4802, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "13 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6939d93da11a7d2bf7535ef1", "name": "Tesla Hackers Log In | Disqus", "description": "I\u2019m not for certain when blog \u2018https://pickyhot.disqus.com/tsara-brashears\u2019 first appeared online. It was present in 2016 -2021. It was a porn spewing blog that obviously was full of tools. The lot pics debated targets race , beauty and other silly things. I don\u2019t know if target ever clicked on links. Tesla Hackers have played a major role in attacks against target. I haven\u2019t sifted through all malware yet. \n\n\n - Elon Musk - When Brashears suffered attempted hit on roadway she described suspect as an Elon Musk type, possible, offspring, or someone closely tied to him.", "modified": "2026-01-09T19:02:12.608000", "created": "2025-12-10T20:34:05.903000", "tags": [ "disqus", "disqus.com", "comments", "blog", "blogs", "discussion", "google facebook", "twitter", "microsoft apple", "email", "forgot password", "login", "sign", "general full", "url https", "security tls", "united", "asn54113", "fastly", "reverse dns", "resource", "hash", "flag", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "ascii text", "network traffic", "t1057", "path", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "signing defense", "file defense", "read c", "tlsv1", "search", "jfif", "ijg jpeg", "tls handshake", "failure", "show", "port", "execution", "next", "dock", "write", "persistence", "malware", "unknown", "waymo", "tesla", "musk", "austin", "bay area", "tesla ceo", "elon musk", "wednesday", "safety monitor", "synacktiv", "aaaa", "present jul", "status", "asnone country", "as13335", "present sep", "present apr", "present dec", "present jun", "lte all", "search otx", "additionally", "enter source", "url or", "data upload", "extraction", "entries", "present may", "dynamicloader", "as15169", "medium", "write c", "odigicert inc", "windows", "as54113", "worm", "copy", "explorer", "encrypt", "target tsraa brashears" ], "references": [ "http://pickyhot.disqus.com/", "https://www.teslarati.com/tesla-hackers", "https://pickyhot.disqus.com/tsara-brashears", "All tags auto populated including\u2019 Elon Musk\u2019", "Running webserver Running WordPress Running Drupal", "bulletproof.palantirapollo.com \u2022 vpn-etuleusj2dpr.palantirclou", "https://publicsector.google/404-page-not-found/\t \u2022 www.founderstack.pro \u2022 oedfoundation.org", "https://www.founderstack.pro/feedhive \u2022 https://coinbase.getro.com/companies/astar-foundation \u2022 founders-vision.com", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "www.endgame.com", "://blog.endgamesystems.com/ \u2022 http://httpswww.endgamesystems.com\t URL\thttp://wg41xm05b3.endgamesystems.com", "https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com\t\u2022 http://blog.endgamesystems.com", "https://httpswww.endgamesystems.com\t\u2022 https://wg41xm05b3.endgamesystems.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com", "https://blog.endgamesystems.com/\t\u2022 https://blog.endgamesystems.com", "http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/", "http://www.endgamesystems.com/", "Requires further research" ], "public": 1, "adversary": "Tesla Hackers", "targeted_countries": [], "malware_families": [ { "id": "Synacktiv", "display_name": "Synacktiv", "target": null }, { "id": "Tesla Hackers", "display_name": "Tesla Hackers", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Mofksys", "display_name": "Mofksys", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2523, "URL": 6583, "FileHash-SHA256": 1132, "domain": 1483, "FileHash-SHA1": 43, "SSLCertFingerprint": 17, "FileHash-MD5": 109, "email": 2 }, "indicator_count": 11892, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gotoresolve.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gotoresolve.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780226244.742759 }