{ "type": "Domain", "indicator": "htlbid.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/htlbid.com", "alexa": "http://www.alexa.com/siteinfo/htlbid.com", "indicator": "htlbid.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2835289924, "indicator": "htlbid.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "arm64e-apple-macos.swiftinterface", "APConfigurationSystem.tbd", "apple-dns.net", "process_list.txt", "Info.plist", "main.cf.default", "MultipeerConnectivity.h", "Admin.tbd", "pf.os", "emails.redvue.com (apple DNS w/amvima)", "ldap.h", "dbivport.h", "kexts.txt", "networks", "disk_structure.txt", "x86_64-apple-macos.swiftinterface", "custom-error.html", "ttys", "api.useragentswitch.com", "etcHosts.csv", "hook_op_check.h", "csh.cshrc", "LocalAuthentication.tbd", "MultipeerConnectivity.tbd", "zshrc_Apple_Terminal", "security_status.txt", "resolv.conf", "aliases", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "protocols", "version.plist", "master.cf", "ftpusers", "142.250.180.4 (init.ess)", "bashrc_Apple_Terminal", "master.cf.default", "MCNearbyServiceAdvertiser.h", "users.csv", "https://urlscan.io/domain/maxwam.tk", "pf.conf", "AppleFirmwareUpdate.tbd", "ntp_opendirectory.conf", "find.codes", "xtab", "paths", "syslog.conf", "virtual", "asl.conf", "master.cf.proto", "generic", "manpaths", "systemInfo.csv", "sipConfig.csv", "chromeExtensions.csv", "certificates.csv", "gettytab", "relocated", "lber.h", "mounts.csv", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "bashrc", "shells", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "DBIXS.h", "dbd_xsh.h", "passwd", "com.apple.screensharing.agent.launchd", "usbDevices.csv", "http://tracks.theleders.family", "kernel.csv", "LICENSE", "interfaceDetails.csv", "autofs.conf", "man.conf", "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "kern_loader.conf", "custom_header_checks", "irbrc", "profile", "TLS_LICENSE", "systemControls.csv", "dns.google (DNS client services - Doug Cole)", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "Driver_xst.h", "launchagents.txt", "bind.html", "MCSession.h", "makedefs.out", "smb.conf", "nr-data.net", "transport", "ntp.conf", "rpc", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "afpovertcp.cfg", "103.233.208.9 (CNC IP)", "dbixs_rev.h", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "rtadvd.conf", "AirPlayReceiver.tbd", "zprofile", "BUILDING", "command_args.json", "auto_master", "mounts.txt", "battery.csv", "module.modulemap", "crashes.csv", "main.cf.proto", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "csh.logout", "bounce.cf.default", "newsyslog.conf", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "notify.conf", "MultipeerConnectivity.apinotes", "launchD.csv", "sudo_lecture", "managedPolicies.csv", "content-negotiation.html", "postfix-files", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "MCAdvertiserAssistant.h", "access", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "main.cf", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "launchdaemons.txt", "applications.csv", "MCError.h", "apex.jquery.com (scammer | works for who?)", "auto_home", "caching.html", "LDAP.tbd", "configuring.html", "freeimdatingsites.thomasdobo.eu", "group", "header_checks", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "rc.common", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "preboot_archive_errors.log", "rmtab", "AOSKit.tbd", "rc.netboot", "interfaceAddrs.csv", "http://mobtrack.trkclk.net", "locate.rc", "csh.login", "zshrc", "user_launchagents.txt", "sharedFolders.csv", "MCPeerID.h", "sudoers", "diskEncryption.csv", "sharingPreferences.csv", "CodeResources", "canonical", "convenience.map", "mail.rc", "dbi_sql.h", "MCBrowserViewController.h", "MCNearbyServiceBrowser.h", "nfs.conf", "photos.theleders.family", "index.html.en", "apfs_boot_mount.tbd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Et", "Trojanspy", "Gamehack", "Maltiverse", "States", "Lastname", "Firstname", "Webtoolbar", "Beach research", "Generic" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68730c407f8484c524c2d7f4", "name": "The Denver Post used for Fake news | Foundry | Twitter | Porn", "description": "Is the Denver Post a honey pot? Portal? Used for investigating? Smear campaigns? \n\nVictims reported for multiple years their names have been advertised in malicious red report campaigns, obituaries, threats. This has been true of the Ricky Mountain News which has been out of business for years and Denver Post.\n\n\nI can\u2019t annotate so I can\u2019t include references.\nReferences:\nFoundry\nTwitter\nDouglas Undersheriff who was either being smeared or heading a smear campaign.\nPorn\nTwitter \nInjured worker\u2019s compensation targets with la he loss including death.\nThey don\u2019t want to pay. Crazy fact: Workers compensation keeps the nearly a billion $ annually tax free. Does not want to pay. Bonuses doctors and anyone who will deny truly injured workers their compensation. \n#callthecopsifyousee_o-o_t_pac", "modified": "2025-08-12T01:02:51.771000", "created": "2025-07-13T01:30:40.917000", "tags": [ "gtmtlfp4r", "utc gtmtlfp4r", "domains", "hashes", "reverse dns", "url https", "general full", "united", "security tls", "resource", "protocol h2", "software", "hash", "name value", "main", "spurlock", "carlos illescas", "wordpress", "denver post", "server nginx", "date sun", "gmt contenttype", "connection", "wordpress vip", "https", "link", "json", "contentencoding", "miss xrq", "value", "july", "variables", "osano function", "gpp function", "tcfapi function", "uspapi", "mg2 string", "bcclass", "dfmadmodslevel", "xblocker", "extraction", "data upload", "extrac", "included data", "review ious", "u excluded", "suggesteroo", "ony incude", "failed", "so type", "extra data", "includec review", "exclude suggest", "find s", "s type", "ur extraction", "extract", "included ic", "review ioc", "type no", "extri", "include review", "exclude sugges", "typ filel", "filet filet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1774, "FileHash-SHA256": 3808, "domain": 373, "FileHash-MD5": 155, "FileHash-SHA1": 135, "hostname": 1156 }, "indicator_count": 7401, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafd0e93efa420f74123c", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2024-10-12T01:00:47.836000", "created": "2023-12-02T04:17:20.189000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 107, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3895, "URL": 11195, "domain": 2959, "hostname": 3575, "CVE": 16, "SSLCertFingerprint": 1, "email": 1 }, "indicator_count": 24465, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6562908e28e6cdc237fbf8db", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-11-26T00:25:50.529000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656aafce24b001cba328dcbc", "name": "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "description": "", "modified": "2023-12-26T00:03:03.925000", "created": "2023-12-02T04:17:18.188000", "tags": [ "ssl certificate", "contacted", "threat roundup", "whois record", "communicating", "subdomains", "resolutions", "june", "july", "october", "august", "noname057", "generic malware", "ice fog", "tag count", "thu nov", "threat report", "ip summary", "url summary", "summary", "sample", "first", "generic", "detection list", "blacklist http", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malware", "alexa", "malware site", "malicious site", "unsafe", "artemis", "fakealert", "exploit", "opencandy", "riskware", "genkryptik", "iframe", "tiggre", "presenoker", "agent", "conduit", "wacatac", "phishing", "redline stealer", "dropper", "cobalt strike", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "filetour", "cleaner", "installpack", "xrat", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "blacknet rat", "stealer", "maltiverse", "webtoolbar", "trojanspy", "united", "engineering", "cyber threat", "phishing site", "america", "emotet", "zbot", "malicious", "steam", "team", "indonesia", "miner", "ransomware", "ramnit", "pe resource", "historical ssl", "execution", "hacktool", "metasploit", "relic", "monitoring", "android", "skynet", "et", "anonymizer", "trojanx", "back", "laplasclipper", "win64", "trojan", "ghost rat", "suppobox", "asyncrat", "union", "samples", "blacklist", "malicious url", "hostname", "hostnames", "tsara brashears", "reinsurance", "pinnacol insurance", "industry and commerce", "state", "danger", "warning", "nr-data.net", "apple", "data.net", "asp.net", "domains", "hashes", "reverse dns", "general full", "resource", "software", "asn15169", "google", "url http", "server", "hash", "get h2", "main", "cookie", "thu dec", "germany", "frankfurt", "netherlands", "asn20446", "highwinds3", "page url", "search live", "api blog", "docs pricing", "tags", "november", "us summary", "http", "google safe", "browsing", "adware", "xtrat", "firehol", "microsoft", "control server", "services", "msil", "hiloti", "asn16509", "amazon02", "fastly", "asn54113", "prague", "login", "listen live", "centura health", "colorado jobs", "eeo public", "filing url", "blacklist https", "mimikatz", "beach research", "de indicators", "copyright", "gmbh version", "follow", "softcnapp", "philadelphia", "gamehack", "value", "line", "variables", "nreum", "postrelease", "url https", "security tls", "protocol h2", "name value", "scam", "gesponsert url", "outputldjh", "oid2", "uhis2", "uh1200", "uw1600", "uah1200", "uaw1600", "ucd24", "usd1", "utz60", "no data", "coinminer", "ip address", "exchange", "http attacker", "states", "jimburkedentistry", "leder-family", "adam lee", "erika lee", "malvertizing" ], "references": [ "http://maxwam.tk/news/top-stories/widow-penalized-for-late-husband-s-legal-marijuana-use/769762335", "https://www.denverpost.com/2018/07/17/marijuana-workers-compensation/amp/ Source", "http://jcsservices.in/gkqikjxn/index.php?pnz=jim@thejimburkefamily.com", "http://www.burkedentistry.com/Quarryville-Dentist-and-Staff/1567", "http://tracks.theleders.family", "photos.theleders.family", "http://45.159.189.105/bot/regex (tracks Tsara Brashears)", "45.159.189.105 (CNC IP \u2022 Tracking Tsara Brashears)", "http://mobtrack.trkclk.net", "https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "nr-data.net", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "103.233.208.9 (CNC IP)", "apex.jquery.com (scammer | works for who?)", "api.useragentswitch.com", "bam-cell.nr-data.net (Apple Private Data Collection | since found, result continuously modified)", "dns.google (DNS client services - Doug Cole)", "https://www.9and10news.com/2021/09/17/fbi-releases-update-on-suspicious-packages-left-at-att-stores/", "https://api.openinstall.io/api/v2/android/otby76/init?certFinger=44:B4:38:61:15:B4:57:55:B5:BF:D1:6B:34:CC:60:72:DA:C7:40:CE&macAddress=6D:51:08:93:04:7B&serialNumber=&apiVersion=2.3.0&deviceId=&pkg=com.mobikok.ecoupon&version=8.1.0&installId=&androidId=91ed20d90734918e&versionCode=333\u00d7tamp=1684541379839", "apple-dns.net", "emails.redvue.com (apple DNS w/amvima)", "142.250.180.4 (init.ess)", "init.ess.apple.com (Highly malicious. Will infiltrate devices when exploited. Spyware)", "freeimdatingsites.thomasdobo.eu", "https://urlscan.io/result/07fe876e-8864-474f-8b32-ba2d50c9a242/#indicators", "https://urlscan.io/domain/maxwam.tk", "https://urlscan.io/result/e770a861-9818-4309-b31e-fd18510532a7/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "States", "display_name": "States", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": "6562908e28e6cdc237fbf8db", "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1956, "FileHash-SHA1": 867, "FileHash-SHA256": 3751, "URL": 10878, "domain": 2914, "hostname": 3520, "CVE": 16 }, "indicator_count": 23902, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "888 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "htlbid.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "htlbid.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780339135.356169 }