{ "type": "Domain", "indicator": "gstatic.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gstatic.com", "alexa": "http://www.alexa.com/siteinfo/gstatic.com", "indicator": "gstatic.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #14", "name": "Akamai Popular Domain" }, { "source": "alexa", "message": "Alexa rank: #511", "name": "Listed on Alexa" }, { "source": "majestic", "message": "Whitelisted domain gstatic.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain gstatic.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2267116664, "indicator": "gstatic.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-04-19T09:34:35.173000", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2319, "FileHash-SHA1": 2376, "FileHash-SHA256": 6772, "domain": 1789, "hostname": 1234, "URL": 922, "email": 45, "CVE": 46, "CIDR": 3, "YARA": 7, "IPv4": 3, "JA3": 1 }, "indicator_count": 15517, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "11 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 hour ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ba1037c60cb420bf66b46c", "name": "docaccess", "description": "", "modified": "2026-04-18T05:15:12.381000", "created": "2026-03-18T02:38:47.338000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 309, "FileHash-SHA1": 288, "FileHash-SHA256": 545, "URL": 117, "domain": 108, "email": 7, "hostname": 44, "CVE": 1 }, "indicator_count": 1419, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc70fcbd3f613502e1f7", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T09:28:38.049000", "created": "2026-04-17T06:00:16.867000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 442, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24911, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e1cc6fd3c4022e08db781d", "name": "order clone by aclause21 Public", "description": "", "modified": "2026-04-17T06:51:33.372000", "created": "2026-04-17T06:00:15.760000", "tags": [ "access ta0001", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "catalog tree", "ob0005 defense", "evasion ob0006", "impact ob0008", "hashes cape", "sandbox", "docguard", "yomi hunter", "zenbox", "ip traffic", "pattern domains", "memory pattern", "urls https", "adversaries", "mitre att", "t1189 found", "clickable urls", "pdf execution", "t1036", "creates", "hide artifacts", "exploitation", "e1564 hidden", "files", "discovery e1082", "e1203 data", "vhash", "ssdeep", "file type", "pdf document", "magic pdf", "trid adobe", "format", "file size", "united", "as32934", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "status", "search", "showing", "server error", "certificate", "creation date", "high assurance", "server ca", "date", "body", "win32", "ransom", "entries", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "show", "malware", "copy", "push", "write", "aaaa", "nxdomain", "united kingdom", "thailand", "vietnam", "as45430", "honduras", "indonesia", "mexico", "slovakia", "dynamicloader", "yara rule", "high", "ekyxe", "xe e", "eofae", "ee edcje4j", "tofsee", "windows", "medium", "stream", "grum", "as15169 google", "pulses", "record value", "error", "cname", "name servers", "ireland", "next", "federation asn", "as49505", "labs pulses", "trojan", "trojandropper", "related pulses", "file samples", "files matching", "date hash", "copyright", "all search", "reverse dns", "location united", "emails info", "expiration date", "as51167 contabo", "germany unknown", "a nxdomain", "as40021 contabo", "encrypt", "url http", "http", "ip address", "related nids", "files location", "ddos", "activity", "checkin", "win64", "mirai", "hosting", "files ip", "address", "czechia unknown", "as174 cogent", "asnone germany", "as15598", "as16625 akamai", "asnone united", "as20940", "as35994 akamai", "as12337 noris", "pulse submit", "url analysis", "backdoor", "gmt cache", "sameorigin", "443 ma2592000", "suspicious", "virtool", "emails", "domain name", "code", "brazil", "poland", "domain", "msie", "windows nt", "tcp syn", "resolverror", "exploit", "externalport", "internalport", "http headers", "home network", "demonbot", "andariel", "yara detections", "malware traffic", "nids", "dns query", "google safe", "browsing", "whois", "virustotal", "mtb apr", "asnone related", "open", "hash avast", "avg clamav", "msdefender apr", "as8075", "content type", "access", "cp bus", "cur cono", "fin ivdo", "onl our", "phy samo", "overview ip", "flag united", "hostname", "files domain", "as8068", "trojan features", "rsa tls", "issuing ca", "mirai variant", "useragent", "inbound", "realtek sdk", "miniigd upnp", "soap command", "activity mirai", "helloworld", "users", "alerts", "anomalous file", "recycle bin", "filehash", "av detections", "memcommit", "read c", "memreserve", "for privacy", "china unknown", "ag alberto", "pedraz", "holidaycheck ag", "project pi", "immobilien ag", "puma se", "kurt walther", "ag ingo", "kraupa", "timo salzsieder", "record type", "ttl value", "msms57295540", "subdomains", "ireland unknown", "analyzer paste", "iocs", "samples", "regsetvalueexa", "default", "regdword", "module load", "t1129", "http request", "process32nextw", "regbinary", "oxypumper", "tools", "dock", "april", "persistence", "execution", "download", "as62597 nsone", "echo request", "sweep", "payload hello", "world", "total", "please", "xport", "main", "look", "install", "servers", "found", "cnapple public", "accept", "chrome", "moved", "ssl certificate", "write c", "installcore", "june", "delphi", "as47846", "cookie", "as32787 akamai", "as714 apple", "m1", "onelouder", "brian sabey", "denver colorado", "fakedout threat", "gmt content", "x cache", "div div", "as8972 host", "france unknown", "registrar", "otx scoreblue", "address domain", "as24940 hetzner", "as44273 host", "asn as15598", "trojanspy", "mail spammer", "germany mail", "spammer", "hichina", "data redacted", "a domains", "wow64", "slcc2", "media center", "port", "powershell", "urls http", "tptjsw", "virus", "ids detections", "germany", "as8560", "austria", "as1921", "as14061", "whitelisted", "as16276", "script urls", "as16552 tiggee", "as9009 m247", "meta", "as29789", "detected m1", "mtb aug", "server", "as397241", "cryp", "hostmaster", "networks", "as19024", "gmt setcookie", "delete", "russia as49505", "sinkhole cookie", "value snkz", "pe32", "possible", "susp", "lnmp", "lnmp a", "licess", "shell", "as63949 linode", "as133618", "as21342", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "gafgyt", "exploit none", "binbusybox", "delete c", "odigicert inc", "stwashington", "lredmond", "rsa ca", "cape", "nondns", "denver", "redacted for", "method status", "url hostname", "ip country", "type get", "date tue", "gmt contenttype", "connection", "cachecontrol", "expires thu", "gmt vary", "poland unknown", "title", "script domains", "updated date", "serce internetu", "cnc beacon", "javascript", "wsasend", "post", "delete shadows", "all quiet", "t1047", "instrumentation", "rpcs", "ms windows", "asnone dns", "http host", "ip check", "sha256", "bits", "adware malware", "etpro malware", "bios", "guard", "tulach", "spectrum", "cyber folks", "tsara brashears", ".pl", "contacted", "kryptikxp", "apple", "ios", "android", "sabey", "charter communications", "denvecolorado", "quantum fiber", "air force", "swipper", "masquerade", "hitmen", "mitm", "whitesky", "cyber warfare", "porn", "pornhub.software" ], "references": [ "DISTINCTIO8.pdf", "FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string", "IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set", "Tofsee: 'google.com' | https://www.gov50.icu |", "ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...)", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing", "hubt.pornhub.com | www.pornhub.com | pornative.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/", "www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/", "Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da", "IDS Detections: WGET Command Specifying Output in HTTP Headers", "IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution", "Yara Detections: is__elf , DemonBot", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout", "FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c", "IDS Detections: Andariel Backdoor Activity (Checkin)", "Alerts: dead_host nids_malware_alert network_icmp nolookup_communication", "DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2", "IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST", "IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/", "https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com", "apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com", "autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com", "* https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "https://tulach.cc/ | tulach.cc |", "http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com", "google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl", "18teen.net | teensnow.com | grannies-porn.net | pornmd.com", "www.pornhubselect.com | pornhub.software" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Chile", "Morocco", "Taiwan", "Guatemala", "United Kingdom of Great Britain and Northern Ireland", "Ireland", "Kenya", "Peru", "Singapore", "Mexico", "Brazil", "Slovakia", "Spain", "Australia", "Belgium", "Germany", "Hungary", "Netherlands", "Russian Federation", "Japan", "Poland" ], "malware_families": [ { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "TEL:CreateScheduledTask", "display_name": "TEL:CreateScheduledTask", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Ransom:Win32/Haperlock", "display_name": "Ransom:Win32/Haperlock", "target": "/malware/Ransom:Win32/Haperlock" }, { "id": "Trojan:Win32/Neurevt", "display_name": "Trojan:Win32/Neurevt", "target": "/malware/Trojan:Win32/Neurevt" }, { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "CVE-2017-17215", "display_name": "CVE-2017-17215", "target": null }, { "id": "CVE-2023-27350", "display_name": "CVE-2023-27350", "target": null }, { "id": "CVE-2014-8361", "display_name": "CVE-2014-8361", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "M1", "display_name": "M1", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Trojan.Sarwent-10012602-0", "display_name": "Win.Trojan.Sarwent-10012602-0", "target": null }, { "id": "Virus:Win32/Sivis.A", "display_name": "Virus:Win32/Sivis.A", "target": "/malware/Virus:Win32/Sivis.A" }, { "id": "Win.Trojan.Installcore-1177", "display_name": "Win.Trojan.Installcore-1177", "target": null }, { "id": "Win.Malware.Oxypumper-6900435-0", "display_name": "Win.Malware.Oxypumper-6900435-0", "target": null }, { "id": "Win.Malware.Qshell-9875653-0", "display_name": "Win.Malware.Qshell-9875653-0", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [], "TLP": "green", "cloned_from": "678f0dbdbc59dd2ea5656dcf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7589, "FileHash-SHA1": 3982, "FileHash-SHA256": 8280, "URL": 441, "domain": 2416, "hostname": 2155, "email": 37, "CVE": 4, "SSLCertFingerprint": 6 }, "indicator_count": 24910, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-17T06:25:54.995000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 156400, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48998, "domain": 83143 }, "indicator_count": 132141, "is_author": false, "is_subscribing": null, "subscriber_count": 1550, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b7d96dfe022e3e33d347a2", "name": "CAPE Sandbox - \"undefined\"", "description": "", "modified": "2026-04-15T10:12:27.063000", "created": "2026-03-16T10:20:29.311000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "domain": 24, "hostname": 112, "URL": 161, "CIDR": 9, "email": 2 }, "indicator_count": 328, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b786ef253f307468ab0d63", "name": "Project", "description": "Pulses, also known as Pulse.org, are being used to track users' activity on the internet and send emails to a website owned by GoDaddy.com, the company that owns the domain. <-- pretext not my thoughts but interesting and not my take though infra I suspect is targeted for geofencing and other abuse. researchers remain vigilint on infra", "modified": "2026-04-15T04:08:56.830000", "created": "2026-03-16T04:28:31.032000", "tags": [ "united", "unknown", "as54113", "date", "aaaa", "status", "cname", "as44273 host", "moved", "passive dns", "title", "body", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 350, "FileHash-SHA1": 5, "domain": 501, "hostname": 1851, "email": 7, "CIDR": 6, "FileHash-SHA256": 8, "CVE": 1, "FileHash-MD5": 2 }, "indicator_count": 2731, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b766b93c6e815e08bbd8dc", "name": "Cloudgate ASNONE", "description": "clever.", "modified": "2026-04-15T02:24:17.244000", "created": "2026-03-16T02:11:05.001000", "tags": [ "status", "creation date", "passive dns", "expiration date", "name servers", "date", "united", "show", "verdict", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 201, "email": 6, "URL": 49, "hostname": 247, "FileHash-MD5": 18, "FileHash-SHA1": 45, "FileHash-SHA256": 633 }, "indicator_count": 1199, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b73596b478cda60ddaae0f", "name": "chatgpt->zoom", "description": "", "modified": "2026-04-14T22:18:06.069000", "created": "2026-03-15T22:41:26.207000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 226, "domain": 122, "URL": 110, "FileHash-MD5": 103, "FileHash-SHA1": 104, "FileHash-SHA256": 102, "email": 9, "CVE": 1 }, "indicator_count": 777, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de5661aa69bc26fcc67ca5", "name": "VirusTotal report\n for document.html", "description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.", "modified": "2026-04-14T15:46:10.139000", "created": "2026-04-14T14:59:45.579000", "tags": [ "thumbprint", "server", "domain status", "not available", "combell", "fri oct", "domain name", "mitre attack", "network info", "performs dns", "found", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "next", "cauliflower", "ardo", "script", "green", "grey", "doctype html", "head", "ieedge", "meta", "noscript", "generator", "title", "fri jan", "value a", "cname", "file type", "unix", "dropped info", "linux verdict", "persistence", "malicious", "pe file", "pe32", "ms windows", "crlf line", "ascii text", "drops pe", "intel", "json", "info", "windows sandbox", "calls process", "algorithm", "key identifier", "x509v3 subject", "full name", "v3 serial", "number", "cus odigicert", "inc cndigicert", "global g3", "tls ecc" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5", "https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl", "https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 581, "domain": 706, "IPv4": 42, "hostname": 577, "URL": 386, "FileHash-SHA256": 1620, "FileHash-MD5": 537, "CVE": 6 }, "indicator_count": 4455, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6044b1389957c1d2afb58", "name": "Pulses in Question", "description": "Following.", "modified": "2026-04-14T01:10:24.056000", "created": "2026-03-15T00:58:51.761000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 56, "FileHash-SHA256": 93, "URL": 122, "hostname": 150, "email": 1, "domain": 37 }, "indicator_count": 515, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-04-12T20:46:57.338000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "IPv4": 322, "SSLCertFingerprint": 24, "email": 2, "IPv6": 1 }, "indicator_count": 5321, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dbc9296c9e5157b644a536", "name": "Marimo Exploitation Underway", "description": "A critical vulnerability in Marimo has been discovered, allowing for pre-authentication remote code execution. This flaw has the potential to impact a wide range of users, as it can be exploited without the need for authentication. The vulnerability is considered high-risk due to its ease of exploitation and the potential for significant damage. The affected scope is broad, and all versions are vulnerable. No authentication is required to exploit this vulnerability.\n\n\nThe attack vector for this ...", "modified": "2026-04-12T16:32:41.155000", "created": "2026-04-12T16:32:41.155000", "tags": [ "initial-access", "execution", "privilege-escalation", "T1190", "high", "vta", "threat-intelligence" ], "references": [ "https://news.google.com/rss/articles/CBMisAFBVV95cUxOazFTaGNxS3lMUzBtV2lPXzlXRG1kNWlianpyUUh1aFd5ay1jaDV4WHZUTG03Q2NVUUZ2dzJsUVVfYjliVGFiYW9SdHpVUXZEalRkT0F1TWJEYkZ5MFhucEhTanB1aGstbVJlNTNYOEQ3RXVic3Vrd0RwYlNPclB5Q25rczNQU2ZxMEJCT1F3SWZfUHBtb1hmS0t3X3ItLTJRMlVHRGVYUjZBX1Qyd21yNdIBtgFBVV95cUxQVFU0c3o4dUVWdWM3dTdVSk1tem1ldlcyaFV6bDZwRE9XUlNxSTFmMmNwQTNWTWR2UWJpR1pTNnNaYVZHSjg5OEZkdjVscHM3bXZGVnBEOVBSWTEwOUhUSVVYNXl2Q2dIeERWRi1WVVFGYkRtbzQtdDNuVk1ZejdBSjN3TVdFX0p1dmdrcG1Ua0tvbGJzYkdBSGhwU0RSa19Qal9RRzliYll2amJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 2, "hostname": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bf4cc74c3d8f391a1a927c", "name": "9e42ac52bda44d5cadcabffd1d5e78a06598c8b5", "description": "", "modified": "2026-04-12T09:32:06.522000", "created": "2026-03-22T01:58:31.611000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 308, "FileHash-SHA1": 305, "FileHash-SHA256": 362, "IPv4": 15, "URL": 369, "hostname": 376, "domain": 192, "email": 13 }, "indicator_count": 1940, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db04d0bf001cf96d81cd84", "name": "Over Twenty Thousand Crypto Fraud Victims Identified", "description": "A recent international crackdown has identified over twenty thousand victims of crypto fraud, highlighting the scale and complexity of this type of cybercrime. The victims were targeted through various means, including phishing scams, fake investment schemes, and other types of online fraud. The scale of the impact is significant, with the total losses estimated to be in the millions of dollars. The victims come from various countries, and the crackdown is a result of a coordinated effort by law...", "modified": "2026-04-12T02:34:56.192000", "created": "2026-04-12T02:34:56.192000", "tags": [ "initial-access", "execution", "privilege-escalation", "T1193", "T1204", "high", "vta", "threat-intelligence" ], "references": [ "https://news.google.com/rss/articles/CBMivAFBVV95cUxOT1N2ZWR1T3gwbFZhWHhEVmtNRURzRHI5VmdaaTMxLXJ0V3dFM0NFV1pFYWhBMGN4b3FlTkR5QUZyTTBoWDdjbkJYdzhpOXdSRklrdmtISWt0bU5qQ204TmxoSW02VTRpMDQtWTV6c2wyU1RYYm1SdlBKbkF2ajN0b3EtNmpjNTRKRlV1YkthYlRHSURTN0ozS2VuM3hWTzZoTUxzai1Bc2Y5RThXVEZhb2NEdURNLTZSQkc0MdIBwgFBVV95cUxOY0VRenhRaTIwRHdmOGRlcVRMMVBabU1wOUFJRWFRU1lNSXF6aE51cG1WQnNFZmFmTWl2b3JfMm1lelNvVHNoZzU2M0JLc2hIaHdGc1haNUhWODN2b0lfOWNhUEZFS1VBSm16a1ZCNjI3MDA3LUoyaUlUYXFvQmdpOGhkRVlfZUhKNHRsNHN2UExoS2R3UmZ4VmJUdFYxaGM" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 2, "hostname": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9b0e549af1aae2975ebeb", "name": "Virtual Servers \u2022 Tulach \u2022 Eternal Blue", "description": "Interesting. Further research required. \n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+\n\n\nhttps://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff90+IP:+Sweden%0A\\\\xfff0\\\\xff9f\\\\xff97\\\\xffba+Country:+SE+", "modified": "2026-04-11T02:24:37.102000", "created": "2026-04-11T02:24:37.102000", "tags": [ "related pulses", "apple", "imac", "itunes", "tulach", "active", "vercel", "ms windows", "intel", "yara rule", "lredmond", "rsds", "write c", "tls sni", "write", "install", "rijndael", "malware", "accept", "self", "mtb apr", "lowfi", "backdoor", "antigua", "trojandropper", "all ipv4", "urls", "prometheus", "files", "files ip", "address", "united", "unknown aaaa", "cname", "tags", "keepalived", "ip address", "red hat", "nat node", "gns3", "firefox", "ovn network", "instances", "forum", "linux", "dynamicloader", "exclusionpath", "medium", "high", "telegram api", "windows", "f rl", "highest sc", "guard", "april", "powershell", "c mar", "virtool", "c jan", "c dec", "urls show", "url hostname", "ransom", "click", "title", "njrat", "as64521i", "bird", "bgp", "virtual private", "virtual servers", "et exploit", "ms17010 echo", "response", "echo response", "asnone", "probe ms17010", "nids", "m2 ms17010", "regsetvalueexa", "service", "wannacry", "dock", "unknown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "mitre att", "defense evasion", "sha1", "sha256", "size", "pattern match", "ascii text", "path", "stop", "hybrid", "general", "local", "twitter", "strings", "core", "telegram", "tools" ], "references": [ "Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H IDS Detections Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010 Possible ETERNALBLUE Probe MS17-010 (Generic Flags) Possible ETERNALBLUE MS17-010 Heap Spray More Yara Detections WannaCry_Ransomware , WannaCry_Ransomware_Gen , WannaDecryptor , stack_string , MS17_010_WanaCry_worm More Alerts nids_exploit", "https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=+New+Worker+Online%0A+PC:+DESKTOP-BBE3PFV%0A+User:+alien%0A+IP:+Sweden%0A+Country:+SE+ Akamai rank: #2475\t URL https://api.telegram.org/bot8479694307:AAHBqcVtSCKfb3XApVQcVGpW7SFQgnxZJgM/sendMessage?chat_id=-1002760967718&text=\\\\xfff0\\\\xff9f\\\\xff9f\\\\xffa2+New+Worker+Online%0A\\\\xfff0\\\\xff9f\\\\xff92\\\\xffbb+PC:+DESKTOP-BBE3PFV%0A\\\\xfff0\\\\xff9f\\\\xff91\\\\xffa4+User:+alien%0A\\\\xfff0\\\\xff9f\\\\xff8c\\\\xff9", "https://go.recordedfuture.com/hubfs/reports/cta-2023-0816.pdf", "https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f", "Trojans: 149.154.166.110 command_and_control (build your own telegram) 208.95.112.1 command_and_control", "prometheus.shorty.cicloinfinito.com", "Win.Packed.njRAT-10002074-1", "NJRat IDS Detections: Telegram API Domain in DNS Lookup", "NJRat IDS Detections: Observed Telegram API Domain (api .telegram .org in TLS SNI)", "NJRat IDS Detections: Telegram API Certificate Observed", "NJRat Yara Detections: ByteCode_MSIL_Backdoor_AsyncRAT", "NJRat Alerts: hardware_id_profiling network_cnc_https_pastesite persistence_autorun", "NJRat Alerts: persistence_autorun_tasks binary_yara procmem_yara suricata_alert", "NJRat Alerts: windows_defender_powershell network_document_file powershell_command_suspicious", "NJRat Alerts: suspicious_command_tools antidebug_guardpages antisandbox_sleep", "NJRat Alerts: dynamic_function_loading encrypted_ioc registers_vectored_exception_handler", "NJRat Alerts: http_request reads_memory_remote_process network_cnc_https_generic reads_self", "NJRat IP\u2019s Contacted 149.154.166.110 172.66.171.73", "NJRat Domains Contacted pastebin.com api.telegram.org", "192.168.122.200 BGP: Simulating Inter-network Dynamic Routing", "EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.105\", \"dst_port\": 49317, \"sid\": 2025650, \"date\": \"2020/06/18 11:39:48\", \"dst_ip\": \"192.168.56.103\" }, \"type\": \"ioc\", \"description\": null }, { \"category\": \"suricata\", \"ioc\": { \"src_port\": 445, \"name\": \"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010\", \"src_ip\": \"192.168.56.108\", \"dst_port\": 49324, " ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "United States of America", "China" ], "malware_families": [ { "id": "Win.Trojan.Generic-9908396-0", "display_name": "Win.Trojan.Generic-9908396-0", "target": null }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Malware.Score-6985947-1", "display_name": "Win.Malware.Score-6985947-1", "target": null }, { "id": "ALF:PWS:MSIL/Stealgen.GC!MTB", "display_name": "ALF:PWS:MSIL/Stealgen.GC!MTB", "target": null }, { "id": "Win.Packed.Zpack-10013367-0", "display_name": "Win.Packed.Zpack-10013367-0", "target": null }, { "id": "ALF:Trojan:Win32/FormBook.F!MTB", "display_name": "ALF:Trojan:Win32/FormBook.F!MTB", "target": null }, { "id": "Win.Malware.Renos-10003934-0", "display_name": "Win.Malware.Renos-10003934-0", "target": null }, { "id": "Win.Trojan.Razy-10016933-0", "display_name": "Win.Trojan.Razy-10016933-0", "target": null }, { "id": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "display_name": "#Lowfi:AGGR:HSTR:Win32/PossibleKeylogger.A", "target": null }, { "id": "NJRat", "display_name": "NJRat", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Private Internet Access", "display_name": "Private Internet Access", "target": null }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null }, { "id": "W32/WannaCryptor.491A!tr.ransom", "display_name": "W32/WannaCryptor.491A!tr.ransom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "TA0029", "name": "Privilege Escalation", "display_name": "TA0029 - Privilege Escalation" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1144", "name": "Gatekeeper Bypass", "display_name": "T1144 - Gatekeeper Bypass" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 556, "domain": 206, "URL": 863, "FileHash-SHA256": 1589, "IPv4": 519, "FileHash-MD5": 472, "FileHash-SHA1": 376, "SSLCertFingerprint": 11, "email": 1 }, "indicator_count": 4593, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-04-10T07:27:33.587000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "IPv4": 318, "FileHash-MD5": 593, "FileHash-SHA1": 459, "IPv6": 1, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10421, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afaca79dddf98b72dd06b1", "name": "kitplay + breaktime :(", "description": "all the kits connect. weather map pdf book health calendar the intersect of the apple product webkit aligning with edge node kits is a problem. I have reached 1 mil iocs in a month manually by phone. My ears ring, my hands burn, and my soul is as corrupt as my hollow root. Ive reported this as a whistleblower and ive reported to apple etc. I must take a break after I scan some CVEs until something is done, my lymph nodes in my neck are large and sore, though I hope I could help some. :/ stay well all. sos is because my phone doesnt work in emergency situations despite 30 devices between routers phones conputers being full factory reset. Ive lost everything. month 10.", "modified": "2026-04-09T21:16:02.645000", "created": "2026-03-10T05:31:19.353000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 268, "hostname": 123, "CVE": 11, "FileHash-MD5": 135, "FileHash-SHA1": 51, "FileHash-SHA256": 203, "email": 4, "URL": 48 }, "indicator_count": 843, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69afd95e9073ee0f67be8694", "name": "URLSpirit Spyware | Targeted Device attacks | MITM attacks | AI and Browser Attacks", "description": "", "modified": "2026-04-09T08:02:04.521000", "created": "2026-03-10T08:42:06.133000", "tags": [ "msie", "chrome", "search", "united", "unknown ns", "taiwan unknown", "requested range", "ip address", "taiwan", "title", "tlsv1", "windows nt", "wow64", "slcc2", "media center", "stcalifornia", "lmountain view", "ogoogle llc", "unknown", "encrypt", "malware", "suspicious", "learn", "informative", "ck id", "name tactics", "command", "spawns", "found", "id name", "malicious", "over", "ascii text", "pattern match", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "http", "data upload", "enter scords", "one on", "extraction", "http request", "checkin", "observed dns", "query", "dns query", "domain", "lila windows", "all se", "file version", "product vers", "failed", "included ic", "review iocs", "ic data", "status", "ch ua", "emails", "servers", "for privacy", "record value", "trojan", "pegasus", "body", "palantir", "se antivirus", "ids deted", "domains", "tachnalnav dan", "origin", "pe versio", "include review", "exclude sugges", "stop data", "q search", "product", "contact data", "contact urlspirit", "url http", "hostname", "url https", "stop show", "types", "type", "indicator", "defense evasion", "sha1", "legalcopyngn", "copyugnt zur", "fileversic data", "exclude data", "no expiration", "ipv4", "filehashsha256", "filehashsha1", "filehashmd5", "macintosh", "khtml", "type indicator", "iocs", "sc type", "hong kong", "certificate", "enterprise", "adversaries", "evasion att", "urlspirit", "targeted att", "monitored target", "browser attacks", "ai chat", "next level", "quasi", "apple", "android", "windows" ], "references": [ "Exploit Source: 210.64.137.210 | IP\u4f4d\u5740\u8cc7\u8a0a\uff08210.64.0.0 tw.ntunhs.net)", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "Antivirus Detections: Win.Trojan.Agent-1190546", "IDS Detections: URLSpirit Spyware Checkin Observed DNS Query to Suspicious Domain adz2you[.]com", "IDS Detections: DNS Query for Suspicious .cf Domain HTTP Request to a *.xyz domain", "Alerts: network_icmp persistence_autorun disables_proxy modifies_certificates", "Alerts: modifies_proxy_wpad ransomware_dropped_files ransomware_mass_file_delete", "Alerts: dumped_buffer network_cnc_http network_http network_http_post suspicious_tld", "Alerts: allocates_rwx antisandbox_foregroundwindows antisandbox_sleep antivm_disk_size", "Alerts: origin_langid creates_exe injection_process_search multiple_useragents", "Domains Contacted: r4---sn-5goeen7d.googlevideo.com s23.cnzz.com www.youtube.com", "Domains Contacted: c.cnzz.com crl.comodoca4.com ocsp2.globalsign.com a.exdynsrv.com", "Domains Contacted: www.wanuu2.club xml.admidainsight.com www.gstatic.com .", "Indicator deletion during pulse | Requires more research | Positive for MITM attack", "IP\u2019s Contacted: 103.23.108.110 103.23.108.112 103.23.108.114 103.23.108.124 103.23.108.140", "IP\u2019s Contacted: 103.23.108.184 103.23.108.220 103.23.108.80 103.23.108.92 104.18.20.226", "URLSpirit Spyware", "Palantir\u2019s PIT - Prometheus Intelligence Technology Damaging Spyware distribution, AI Man in the Middle Attacks", "Origin: https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "https://otx.alienvault.com/indicator/file/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/8550f80522c90177b58eecc3c31b8e82cfbc0a10283c888a45da497b2b5ddca5", "PE Version Information : LegalCopyright: Copyright 2012 Spiritsoft All Rights Reserved. InternalName\tjingling.exe", "FileVersion: 2013.10.10.100 Company Name: \u7cbe\u7075\u8f6f\u4ef6 Comments: \u6d41\u91cf\u7cbe\u7075(1094) ProductName: \u6d41\u91cf\u7cbe\u7075", "Product Version: 4.0.3.1 File Description: \u6d41\u91cf\u7cbe\u7075 Original File name: jingling.exe", "023097.palantir.events \u2022 palantir.events \u2022 url3561.palantir.events", "13.32.178.127 \u2022 023097.palantir.events \u2022 palantir.events \u2022 Email admin@dnstinations.com", "www.palantir.events \u2022 Email cirt@palantir.com \u2022 0055-b2b-nonprod-bigip1.palantir.events \u2022", "151-80-200-88.palantir.events \u2022 196-196-19-74.palantir.events", "http://www.net-chinese.com.tw \u2022 pixanalytics.com \u2022 pixnet.cc \u2022 pixnet.tv", "quecompegasune.tk \u2022 hipicapegaso.com", "This is part of a Prometheus Intelligence Technology (PIT) Palantir Attack", "Incredibly false information, white screens , pink screens and chat erasure", "Definitely requires further research", "Pegasus Indicators deleted during pulse" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Malaysia" ], "malware_families": [ { "id": "URLSpirit", "display_name": "URLSpirit", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" } ], "industries": [ "Technology", "Government", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 406, "FileHash-SHA1": 391, "FileHash-SHA256": 5770, "URL": 7299, "domain": 1307, "email": 13, "hostname": 2162, "CVE": 3, "SSLCertFingerprint": 45 }, "indicator_count": 17396, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d68fffbf012630d57033b6", "name": "Sabey SWIPPER - Pornhub\u00bbX.Com migration to Twitter | Sabey\u2019s Daddy Data Center ", "description": "", "modified": "2026-04-08T17:27:27.851000", "created": "2026-04-08T17:27:27.851000", "tags": [ "url https", "filehashsha256", "browse scan", "report spam", "author", "output", "tsara brashears", "created", "days ago", "showing", "trojan", "win32", "msil", "trojanspy", "virtool", "scan endpoints", "all search", "otx scoreblue", "author avatar", "fraud", "june", "worm", "search", "tsara type", "indicator role", "title added", "active related", "pulses url", "url http", "ipv6", "type indicator", "role title", "added active", "related pulses", "sort", "least", "researched", "f https", "scan", "iocs", "learn more", "filehashmd5", "hostname", "domain", "indicators show", "browser", "unsupported", "view", "continue", "watch tsara", "searchtsa", "brashears", "most relevant", "porn videos", "download", "google search", "open threat", "babe", "green", "daily", "play", "fullscreen", "tsara", "videos", "love", "top tsara", "xxx videos", "hardcore porn", "jeffrey reimer", "puts", "porn", "javascript", "body", "creation date", "record value", "united", "gmt content", "gmt max", "age900", "httponly x", "date", "unknown", "pragma", "levelblue", "exchange open", "threat exchange", "indicator", "safebae", "get involved", "anyone else", "press", "data reports", "teen students", "become", "chapter lead", "become a", "certified peer", "district", "brian sabey", "sabey data", "hallrender", "sabey data centers", "swipper", "mark b sabey", "m brian sabey", "2beeg", "thebrotherssabey", "urls", "show", "cloudflarenet", "us urlscan", "skip", "accessibility", "all images", "videos shopping", "forums news", "web more", "tools", "service", "malicious", "size", "recent", "off blur", "find", "summary", "securitytrails", "urlscan https", "tryporn", "icann whois", "data problem", "disclaimer", "judaporn", "kompoz", "blur filter", "search results", "xxxvideohd", "hacker news", "item", "url", "website", "web", "scanner", "analyze", "analyzer", "september", "domains", "sale worldwide", "street", "gate parkway", "stateprovince", "postal code", "route", "open", "watch", "links", "footer", "delete see", "delete c", "tofsee", "grum", "entries", "cape", "high", "total", "copy", "write", "malware", "patched", "next", "please" ], "references": [ "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236" ], "public": 1, "adversary": "Brian Sabey | Tulach | Sabey Data Centers", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win32/Tofsee.AX", "display_name": "Win32/Tofsee.AX", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "69bea426487bffa5384c6f38", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 116, "FileHash-SHA256": 443, "URL": 1878, "domain": 312, "hostname": 518, "email": 5, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 3395, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d653b6e87c5b1f56db3158", "name": "InstallMonstr | Emotet affecting HCA | PHI | PII | Technologies [ScoreBlue]", "description": "", "modified": "2026-04-08T13:15:16.580000", "created": "2026-04-08T13:10:14.081000", "tags": [ "historical ssl", "threat roundup", "october", "september", "referrer", "december", "apple", "apple ios", "sqli dumper", "formbook", "raspberry robin", "redline stealer", "hacktool", "metro", "core", "life", "awful", "darkgate", "snatch", "ransomware", "review", "analyzer paste", "iocs", "urls https", "samples", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "cyber threat", "united", "engineering", "malicious", "phishing", "bambernek", "hostname", "team phishing", "covid19", "malware", "download", "suppobox", "emotet", "team", "facebook", "plasma", "kraken", "downloader", "cisco umbrella", "site", "alexa top", "safe site", "malware site", "malicious site", "malicious url", "million", "blacklist https", "installcore", "blacklist", "hostnames", "urls http", "cnc server", "cnc feodo", "tracker", "cronup threat", "threats et", "emotet ip", "blocklist", "coalition et", "feodo", "generic", "dridex", "team top", "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "headers date", "gmt server", "sale", "html info", "title", "meta tags", "usd twitter", "utc google", "tag manager", "utc gtmsxrf", "html", "dan.com", "my boy dan", "dark consultants", "brent kimball", "kb body", "headers", "expires thu", "please", "show", "medium", "search", "service", "open", "centerchecks", "copy", "post http", "memcommit", "trojan", "write", "win32", "erase", "find", "close", "scan endpoints", "all scoreblue", "alf features", "related pulses", "file samples", "files matching", "date hash", "showing", "next", "aaaa", "asnone united", "a domains", "script urls", "passive dns", "entries", "body doctype", "date", "unknown", "title error", "ipv4", "pulse submit", "url analysis", "urls", "yara rule", "t1063", "high", "high security", "discovery", "etpro malware", "tls sni", "guard", "tsara brashears", "delete", "post", "msie", "windows nt", "wow64", "slcc2", "media center", "findwindowa", "ollydbg", "regsetvalueexa", "regdword", "high process", "x8bxe5", "regbinary", "injection t1055", "august", "internal", "best targets", "sites", "manjusaka", "china", "high level", "hackers", "june", "mail spammer", "zeus", "telefonica co", "proxy", "nanocore rat", "stealer", "pony", "betabot", "asyncrat", "blacklist http", "alexa", "bank", "fuery", "zbot", "pe32", "intel", "ms windows", "ms visual", "win16 ne", "pe32 compiler", "exe32", "compiler", "linker", "gui32", "vs2003", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "overlay", "flow t1574", "dll sideloading", "create", "modify system", "process t1543", "windows service", "stop service", "start service", "boot", "logon autostart", "get http", "request", "host", "memory pattern", "cus cnmicrosoft", "azure tls", "issuing ca", "http requests", "connect azurepc", "dns resolutions", "evil", "samplepath", "classname", "created", "shell commands", "evil c", "user", "shelltraywnd", "pcidump rasman", "processes tree", "registry keys", "hashes", "apple notepad", "cyberstalking", "highly targeted", "cyber attack", "spotify artist", "gamers", "critical risk", "remote system", "cobalt strike", "mon jul", "fakedout threat", "maltiverse", "adware", "drivertalent", "fusioncore", "riskware", "pdf document", "adobe portable", "document format", "history", "oc0008", "catalog tree", "ob0005 defense", "evasion ob0006", "hide artifacts", "e1564 discovery", "ob0007 system", "e1082 impact", "e1203 data", "exploitation", "ob0012 hide", "adversaries", "spawns", "sandbox", "mitre att", "access ta0001", "t1189 found", "ta0004 process", "defense evasion", "connection", "accept", "response", "win64", "khtml", "gecko", "date mon", "pragma", "dangeroussig", "heur", "phishing site", "dos com", "javascript", "files", "file type", "web open", "font format", "sneaky server", "replacement", "unauthorized", "mr windows", "url https", "steganography", "clickjacking", "amazon 02", "tmobile", "executable", "basic", "os2 executable", "clipper dos", "generic windos", "pe32 packer", "info header", "win32 exe", "ip detections", "country", "contacted", "phishtank", "services", "http attacker", "hitmen", "murderers", "redrum", "brian sabey", "workers compensation", "aig", "industry_and_commerce", "quasi" ], "references": [ "https://darkconsultants.com/brent-kimball", "HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others", "Matches rule User with Privileges Logon by frack113", "Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control", "Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f", "Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55", "Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127", "Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB", "Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer", "Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows", "Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy", "Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e", "Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af", "Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682", "Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f", "Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe", "Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a", "Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef", "Antivirus Detections: Win32:Shiz-JT\\ [Trj] ,\u00a0Win.Trojan.Generic-6323528-0 ,\u00a0Backdoor:Win32/Simda.gen!B", "IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string ,\u00a0 dbgdetect_procs", "Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios", "Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory", "Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete", "Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems)", "CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems)", "IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection", "roblox-hack-tool-jailbreak_GM431946152.pdf", "Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community", "Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali", "http://connectivitycheck.gstatic.com/generate_204", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net", "hannahseenan.pornsextape.com", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=", "Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789", "FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631", "Tulach: 114.114.114.114", "kaiser-friedrich-halle.de | kurma.hosting-mexico.net" ], "public": 1, "adversary": "State of Colorado", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trojan:Win32/Emotet!MTB", "display_name": "Trojan:Win32/Emotet!MTB", "target": "/malware/Trojan:Win32/Emotet!MTB" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallMonstr", "target": null }, { "id": "Backdoor:Win32/Simda.gen!B", "display_name": "Backdoor:Win32/Simda.gen!B", "target": "/malware/Backdoor:Win32/Simda.gen!B" }, { "id": "Trojan.Scar.lzt", "display_name": "Trojan.Scar.lzt", "target": null }, { "id": "Trojan.Click1.19227", "display_name": "Trojan.Click1.19227", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "phishing.phishinggame", "display_name": "phishing.phishinggame", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [ "Healthcare", "Technology", "Telecommunications", "Civilian Society" ], "TLP": "green", "cloned_from": "66c1d668b2adcc909d7608bf", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3660, "FileHash-SHA1": 2288, "FileHash-SHA256": 4720, "CVE": 8, "URL": 896, "domain": 338, "hostname": 839, "IPv4": 10 }, "indicator_count": 12759, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aeda93ec05fb8653adca6d", "name": "clone of my pulse. this dmv kit pdfkit.net used the same off logo kit it was one of the few i found in their fcc application . rpi&macids look for", "description": "", "modified": "2026-04-08T00:00:45.252000", "created": "2026-03-09T14:34:59.072000", "tags": [ "pfft.net" ], "references": [ "" ], "public": 1, "adversary": "pi, pdfkit.net", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "698c75717175e2cc7ff33df2", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 551, "domain": 638, "CVE": 114, "hostname": 449, "email": 28, "FileHash-MD5": 145, "FileHash-SHA1": 188, "FileHash-SHA256": 132, "Mutex": 1 }, "indicator_count": 2246, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acefddb438775a0be13420", "name": "Whistleblower Retaliation.", "description": "0397da2aa5e340a30ea939c5606cc9a131137d044f23ef812067e5c, as part of a series of events.", "modified": "2026-04-07T03:06:04.004000", "created": "2026-03-08T03:41:17.684000", "tags": [ "key identifier", "v3 serial", "number", "update secure", "server ca", "validity", "cus stwa", "subject public", "key info", "key algorithm", "thumbprint" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1275, "FileHash-MD5": 143, "FileHash-SHA1": 149, "hostname": 49, "URL": 230, "domain": 278, "email": 4 }, "indicator_count": 2128, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69acf1efcec7f441e28e034a", "name": "cve-2026-20122", "description": "", "modified": "2026-04-07T03:06:04.004000", "created": "2026-03-08T03:50:07.850000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "hostname": 20, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69abd3a39b21902d77003ccb", "name": "domain iocs LI", "description": "Details and details of a malicious web address found in the linkedin.com community:-1-2-3-7-28 February 2017, and here is the full set of details.", "modified": "2026-04-06T08:01:04.640000", "created": "2026-03-07T07:28:35.218000", "tags": [ "secure", "httponly", "path", "submission", "samesitenone", "history first", "analysis", "utc http", "response final", "url https", "body", "title", "enjoy", "pragma", "date", "cloud" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 5, "FileHash-SHA256": 26, "URL": 180, "domain": 32, "hostname": 126, "email": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa2bd7c559bc6374229dd5", "name": "https://app.zencoder.com", "description": "phishing and medium.com iocs", "modified": "2026-04-05T01:24:33.524000", "created": "2026-03-06T01:20:23.852000", "tags": [ "present mar", "as13335", "united", "aaaa", "whitelisted", "a domains", "status", "certificate", "date", "entries", "body", "title", "html document", "unicode text", "utf8 text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 133, "FileHash-MD5": 53, "FileHash-SHA1": 52, "FileHash-SHA256": 51, "domain": 115, "email": 2, "hostname": 108 }, "indicator_count": 514, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69aa0c07ce3cd1822c02a231", "name": "scnr.com", "description": "", "modified": "2026-04-04T23:37:39.530000", "created": "2026-03-05T23:04:39.475000", "tags": [ "united", "script urls", "unknown", "as13335", "as44273 host", "for privacy", "as47846", "germany unknown", "a domains", "redacted for", "date", "title", "body", "encrypt", "server", "registrar abuse", "iana id", "contact email", "dnssec", "domain status", "contact phone", "registrar url", "registrar whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 338, "URL": 159, "FileHash-SHA1": 77, "email": 8, "hostname": 741, "FileHash-SHA256": 13, "FileHash-MD5": 13 }, "indicator_count": 1349, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a9faf860d61b426ca9415c", "name": "aa49f4fb7b92869aca6af7b5266ea67b69c56733e542b3819c040c4dc4d9027e", "description": "b205b82d2b19366df50d00533bbd7234\n5b3b4934f32796e7a00ee21c7269d2a84f1a57b3\naa49f4fb7b92869aca6af7b5266ea67b69c56733e542b3819c040c4dc4d9027e\ndea8c07abb745c9055100be3a92a9fbc\n12288:Tk6fTce9KJ4cG33LBRHC+Qg0Edx4I4vkC5x:Tk63UJfutRRDI\nT14425E703FE9C0BDEE586D53B28959E18181FFA1C05E9CBCB5ABCD1453E518896EF013A\nMS Word Document \ndocument\nmsoffice\ntext\nword\ndoc\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: PC, Template: Normal.dotm, Last Saved By: PC, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:00, Create Time/Date: Sat Jul 14 17:14:00 2018, Last Saved Time/Date: Sat Jul 14 17:26:00 2018, Number of Pages: 857, Number of Words: 82828, Number of Characters: 472121, Security: 0\nMicrosoft Word document (50.4%) Microsoft Word document (old ver.) (31.9%) Generic OLE2 / Multistream Compound (13.4%) Unity binary serialized Assets (generic) (4.2%)\nDOC\n1017.00 KB (1041408", "modified": "2026-04-04T22:00:08.364000", "created": "2026-03-05T21:51:52.580000", "tags": [ "united", "as8068", "aaaa", "as8075", "a domains", "meta", "passive dns", "creation date", "expiration date", "date", "accept" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 3, "URL": 27, "domain": 298, "email": 6, "hostname": 85, "FileHash-SHA256": 2 }, "indicator_count": 426, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a8ae60ef19e1d1f3c88461", "name": "3.32.100.98", "description": "interesting certificate string researchers take note : Subject: CN=*.execute-api.us-gov-west-1.amazonaws.com\nSubject Public Key Info:", "modified": "2026-04-03T22:17:43.738000", "created": "2026-03-04T22:12:48.990000", "tags": [ "united", "as8987 amazon", "passive dns", "unknown", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location united" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45, "domain": 623, "email": 16, "URL": 48, "CVE": 1 }, "indicator_count": 733, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a77cfcac37b94cdafabb0d", "name": "Outlook", "description": "IOCS", "modified": "2026-04-03T08:24:06.638000", "created": "2026-03-04T00:29:48.657000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 712, "domain": 759, "hostname": 194, "FileHash-SHA1": 148, "email": 37, "FileHash-SHA256": 437, "FileHash-MD5": 118, "CVE": 1 }, "indicator_count": 2406, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a6667cc81826a4ae1dd3ea", "name": "dropbox.com", "description": "Verdict\nWhitelisted\nIP Address\n162.125.248.18\nLocation\n\nUnited States\nASN\nAS19679 dropbox inc.\nNameservers\nns-1949.awsdns-51.co.uk.\n, \nns-315.awsdns-39.com.\nMore\nWHOIS\nRegistrar:\nMarkMonitor, Inc., \nCreation Date:\nJun 27, 1995\nRelated Pulses\nOTX User-Created Pulses (50)\nRelated Tags\n1747 Related Tags\n320700\n, \n368600\n, \n1575038779\n, \ngeoip\n, \nas54113\nMore\nIndicator Facts\n997 malicious files communicating\nHistorical OTX telemetry\nRunning webserver\n105 subdomains\nFilesharing\nSPF record\nPresent in Umbrella\nPresent in Majestic\nPresent in Akamai\nAntivirus Detections\nALF:E5.SpikeAex.DYNHASH\n, \nBackdoor:Win32/Drixed.J\n, \nCan't access file\n, \nTrojan:Win32/Banload.E\n, \nTrojan:Win32/Pariham.A\nMore\nAV Detection Ratio\n997\n / 1000\nExternal Resources\nWhois, \nUrlVoid, \nVirusTotal", "modified": "2026-04-02T04:35:49.117000", "created": "2026-03-03T04:41:32.619000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 318, "FileHash-MD5": 1055, "FileHash-SHA1": 1067, "FileHash-SHA256": 2018, "email": 6, "hostname": 210, "URL": 371 }, "indicator_count": 5045, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccd2f7984fad6feebb4ca4", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:44:36.825000", "created": "2026-04-01T08:10:31.621000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "URL": 367, "domain": 80, "hostname": 155, "FileHash-MD5": 115, "FileHash-SHA1": 105, "email": 5, "IPv4": 40, "SSLCertFingerprint": 4 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eacbe2d99caae4a5b2d7", "name": "172.69.58.33", "description": "potential rogue exploit kit", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-19T10:49:47.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 18, "FileHash-MD5": 31, "FileHash-SHA1": 29, "FileHash-SHA256": 171, "URL": 432, "domain": 629, "hostname": 461, "CIDR": 6, "email": 23 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6998d15c75b59044877602c1", "name": "Corrupt.... Files", "description": "beaware", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-20T21:25:48.559000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 706, "FileHash-SHA1": 859, "FileHash-SHA256": 1480, "URL": 743, "domain": 1565, "email": 55, "hostname": 912, "CVE": 54, "CIDR": 27 }, "indicator_count": 6401, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699a8339b9e516069852d3e2", "name": "Whitelist Shell", "description": "Data Point for Further Review", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-22T04:16:57.040000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 39, "FileHash-MD5": 2, "FileHash-SHA1": 2, "hostname": 194, "email": 6, "URL": 187, "domain": 263, "CVE": 30 }, "indicator_count": 723, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1535debec4128ab952040", "name": "I See You, Too. #.icu", "description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T08:18:37.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 294, "CVE": 22, "URL": 278, "FileHash-MD5": 234, "FileHash-SHA1": 240, "FileHash-SHA256": 1663, "hostname": 142, "YARA": 1, "email": 13, "CIDR": 2 }, "indicator_count": 2889, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a2f3242bb4619c7c2d4d2a", "name": "Port 445 Infection", "description": "", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T13:52:36.661000", "tags": [ "alerts", "yara detections", "analysis date", "file score", "unusual port", "potential scan", "infection yara", "pulses", "related tags", "brute force", "delphi", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 193, "FileHash-SHA1": 187, "FileHash-SHA256": 290, "domain": 149, "URL": 12, "CVE": 18, "hostname": 39, "email": 2 }, "indicator_count": 890, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a3231c063d36fb26d438c4", "name": "wordpress.com press key", "description": "WP hosted malware", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-28T17:17:16.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1541, "FileHash-SHA1": 223, "URL": 4382, "email": 13, "hostname": 3063, "FileHash-MD5": 228, "FileHash-SHA256": 1429, "CIDR": 8 }, "indicator_count": 10887, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d30c03b57c38dff915023", "name": "Double Umbrella AS15169/AS21928: This evaluates a critical structural convergence between Google (AS15169) and T-Mobile USA (AS21928) within the global Tier-1 routing backbone", "description": "Research credit: msudosos, The research identifies a high-fidelity pattern where traffic from dual origins commingles within a restricted lateral transit hub, allowing for horizontal movement across backbone providers that typically maintain distinct trust boundaries. Specifically, the Content Origin (Umbrella A) originated by Google (AS15169) reaches the core backbone through a high-trust sequence involving Arelion (AS1299), NTT (AS2914), and GTT (AS3257). Simultaneously, the Mobile Origin (Umbrella B) originated by T-Mobile USA (AS21928) enters the backbone via Cogent (AS174) and Lumen (AS3356). The findings designate Lumen (AS3356) as the central lateral hub where traffic pivots horizontally between the \u201cCore Five\u201d partners-including Zayo (AS6461) and Hurricane Electric (AS6939) \u2014before leaking to international sub-transit peers like Sparkle (AS6762) and Telxius (AS12956), finally exiting at global edge points such as PCCW (AS3491) and Tata (AS6453).", "modified": "2026-03-29T06:02:00.914000", "created": "2026-02-12T01:45:36.128000", "tags": [ "The dynamics of the mudoSOSIntersectalign with sophisticated adv" ], "references": [ "as15169" ], "public": 1, "adversary": "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URI": 1, "domain": 2661, "URL": 6810, "hostname": 2147, "email": 56, "FileHash-SHA256": 2781, "CVE": 172, "FileHash-MD5": 365, "FileHash-SHA1": 344, "IPv4": 1, "CIDR": 20940 }, "indicator_count": 36278, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c3273517158869e0ba780", "name": "Reputation Shielded C2 Pivot; High-Churn Wix Infrastructure with iCloud Exfil Adjacency", "description": "Researcher Note (Feb 11, 2026) IPv4 185.230.61.96 (AS58182 \u2013 Wix.com Ltd.), resolving to unalocated.61.wixsite.com, demonstrates indicators consistent with structured abuse of shared SaaS hosting for command-and-control operations. Passive DNS telemetry reflects 500+ historical domain bindings across 52 TLDs, suggesting deliberate namespace dispersion and rotational overlay management rather than static tenancy. Network detections include repeated FormBook HTTP GET check-ins, Pushdo loader beacon cadence, and Windows Network Diagnostics user-agent spoofing, collectively aligning with controlled tasking infrastructure. Associated artifacts (11/50 AV detections) cluster around credential-stealer and loader families, including FormBook and GandCrab lineage components. The behavioral profile supports assessment of reputation parasitism\u2014leveraging trusted hosting to inherit platform trust and evade domain-based enforcement controls. Confidence: Moderate-High. MITRE: T1071.001, T1105, T1036.", "modified": "2026-03-29T00:29:26.398000", "created": "2026-02-11T07:40:32.757000", "tags": [], "references": [], "public": 1, "adversary": "Tier-1 SaaS Reputation Parasitism Leveraging Wix Infrastructure", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 265, "domain": 294, "URL": 331, "email": 12, "CVE": 61, "FileHash-MD5": 73, "FileHash-SHA1": 64, "FileHash-SHA256": 74 }, "indicator_count": 1174, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ef344417f9985660e698b", "name": "Pulse Data", "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.", "modified": "2026-03-28T07:23:23.210000", "created": "2026-02-13T09:47:48.788000", "tags": [ "imphash", "file type", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections tls", "zeppelin" ], "references": [ "", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access " ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 646, "FileHash-SHA1": 604, "FileHash-SHA256": 1373, "hostname": 1143, "domain": 1381, "URL": 2537, "CVE": 101, "email": 25, "SSLCertFingerprint": 9 }, "indicator_count": 7819, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c52a93ec21ce2fbb69b8b0", "name": "600+ malicWiNEXE(suspect false dev abuse google/android) please run sandboxed", "description": "The full text of the full report on the 2016/17 Olympic Games, which will take place in Rio de Janeiro, has been published on 20 September.. and will be shown on BBC One.