{
  "type": "Domain",
  "indicator": "html-load.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/html-load.com",
    "alexa": "http://www.alexa.com/siteinfo/html-load.com",
    "indicator": "html-load.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 3998168621,
      "indicator": "html-load.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 22,
      "pulses": [
        {
          "id": "69ca5d583057aaefed16789a",
          "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
          "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
          "modified": "2026-03-30T11:45:14.761000",
          "created": "2026-03-30T11:24:08.053000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "default",
            "sha256",
            "sha1",
            "data",
            "info",
            "accept",
            "win64",
            "damage",
            "openssl",
            "shutdown",
            "direct",
            "explorer",
            "title",
            "payload",
            "rdap",
            "ip version",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "whois server",
            "entity sg679",
            "handle",
            "stealc config",
            "cncs http"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 92,
            "domain": 351,
            "URL": 392,
            "FileHash-MD5": 149,
            "FileHash-SHA1": 168,
            "FileHash-SHA256": 197,
            "email": 12,
            "hostname": 68,
            "CIDR": 4
          },
          "indicator_count": 1433,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 50,
          "modified_text": "20 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b92a27c47d4e28927364",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:26.110000",
          "created": "2026-03-12T13:01:30.067000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 51,
          "modified_text": "38 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b9295603a6100edfa8c8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:24:25.387000",
          "created": "2026-03-12T13:01:29.284000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 49,
          "modified_text": "38 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927aa7f10e82639d204",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.872000",
          "created": "2026-03-12T13:01:27.872000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b927c086397130c5d114",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:27.275000",
          "created": "2026-03-12T13:01:27.275000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b926871746ed8a1bc324",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:26.440000",
          "created": "2026-03-12T13:01:26.440000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b925e85c948d4dd608cc",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:01:25.852000",
          "created": "2026-03-12T13:01:25.852000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e974189d2c41f07ed8",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:25.910000",
          "created": "2026-03-12T13:00:25.910000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8e74d2b3effd55f88c3",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:23.173000",
          "created": "2026-03-12T13:00:23.173000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8dfbf8426a7a1d0146d",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:15.427000",
          "created": "2026-03-12T13:00:15.427000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d7123610591625b8fb",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:07.354000",
          "created": "2026-03-12T13:00:07.354000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d61e3f64a8f1f169b6",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:06.214000",
          "created": "2026-03-12T13:00:06.214000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b2b8d24eeb4200bdb1d702",
          "name": "operation endgame clone by privacynotacrime (very detailed piece)",
          "description": "",
          "modified": "2026-03-12T13:00:02.096000",
          "created": "2026-03-12T13:00:02.096000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "38 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6675c61d2a8e4554b9985027",
          "name": "BLOCK_2024",
          "description": "",
          "modified": "2026-02-04T19:03:11.880000",
          "created": "2024-06-21T18:27:41.885000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "65e899612f5527bad9d4e5a8",
          "export_count": 6870185,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "BLOCKINGBLOCK",
            "id": "211480",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2306,
            "FileHash-MD5": 4833,
            "URL": 1674,
            "hostname": 1302,
            "FileHash-SHA256": 6371,
            "FileHash-SHA1": 4014,
            "IPv4": 3524,
            "CIDR": 19,
            "email": 190,
            "CVE": 4
          },
          "indicator_count": 24237,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 108,
          "modified_text": "74 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "687992eceac6f12e9cebd65f",
          "name": "Operation Endgame | ThreatIntelligence | Pegasus | Mirai | Berbew | Emotet",
          "description": "Operation Endgame - Mass spying on civilians suspected of involvement in illegal activity. This spying can last for years. Law enforcement and intelligence agencies use infrastructures from Google, Bing, Apple, Amazon, Coudflare, Microsoft, among other companies. Traffic can be masked in DNS and encrypted connections to go undetected. It is recommended to abandon closed-source services and software and opt for fully open-source software and install a powerful firewall. The use of a secure VPN is recommended. \nThere may be repeated indicators and some false positives due to the nature of the threats. We are working to eliminate duplicate entries and false positives. Check the comment box for important notifications. Follow our Telegram channel: @PrivacyNotACrime",
          "modified": "2025-12-28T19:04:27.449000",
          "created": "2025-07-18T00:18:50.968000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 375,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 7,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "privacynotacrime",
            "id": "349346",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 218783,
            "CIDR": 14,
            "FileHash-MD5": 1558,
            "domain": 171413,
            "email": 10,
            "hostname": 126790,
            "FileHash-SHA256": 135215,
            "CVE": 7,
            "IPv4": 5987,
            "FileHash-SHA1": 1386,
            "IPv6": 289
          },
          "indicator_count": 661452,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 121,
          "modified_text": "112 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69404b09d8296388596ecfa9",
          "name": "BLOCK_2025_DIC",
          "description": "",
          "modified": "2025-12-24T16:04:11.529000",
          "created": "2025-12-15T17:53:13.004000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "6675c61d2a8e4554b9985027",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "BLOCKINGBLOCK",
            "id": "211480",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2300,
            "FileHash-MD5": 4833,
            "URL": 1673,
            "hostname": 1297,
            "FileHash-SHA256": 6371,
            "FileHash-SHA1": 4014,
            "IPv4": 3235,
            "CIDR": 19,
            "email": 170,
            "CVE": 4
          },
          "indicator_count": 23916,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 79,
          "modified_text": "116 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68a3afba4c6ae03cea4633e7",
          "name": "Endgame 4 | ThreatIntelligence | Pegasus | Graphite | Paragon | Mirai | Berbew  [by privacynotacrime]",
          "description": "",
          "modified": "2025-11-20T00:56:28.210000",
          "created": "2025-08-18T22:56:58.617000",
          "tags": [
            "Spyware",
            "Trojan",
            "Pegasus",
            "DNS",
            "Graphite",
            "Paragon",
            "NSO",
            "NSO Group",
            "Security",
            "Samsung",
            "Google",
            "Amazon",
            "HP",
            "Cloudflare",
            "Endgame",
            "Europe",
            "Espionage",
            "Malware",
            "Campaign",
            "Civil",
            "People",
            "Civilians",
            "Crime",
            "Hackers",
            "Sony",
            "Wix",
            "Mobileye",
            "Skynet",
            "Android",
            "iOS",
            "Mac",
            "Windows",
            "Microsoft",
            "Linux",
            "Mirai",
            "Berbew",
            "Trojan Downloader",
            "html_smuggling",
            "FormBook",
            "stealer"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Canada",
            "Denmark",
            "Finland",
            "Germany",
            "Ireland",
            "Lithuania",
            "Spain",
            "Poland",
            "Romania",
            "United Arab Emirates",
            "Ukraine",
            "Taiwan",
            "Sweden",
            "Norway",
            "Luxembourg"
          ],
          "malware_families": [
            {
              "id": "Pegasus for Android - MOB-S0032",
              "display_name": "Pegasus for Android - MOB-S0032",
              "target": null
            },
            {
              "id": "Pegasus for iOS - S0289",
              "display_name": "Pegasus for iOS - S0289",
              "target": null
            },
            {
              "id": "Skynet",
              "display_name": "Skynet",
              "target": null
            },
            {
              "id": "Graphite (Pegasus variant)",
              "display_name": "Graphite (Pegasus variant)",
              "target": null
            },
            {
              "id": "Paragon (Pegasus variant)",
              "display_name": "Paragon (Pegasus variant)",
              "target": null
            },
            {
              "id": "Backdoor:Linux/Mirai",
              "display_name": "Backdoor:Linux/Mirai",
              "target": "/malware/Backdoor:Linux/Mirai"
            },
            {
              "id": "Mirai (Windows)",
              "display_name": "Mirai (Windows)",
              "target": null
            },
            {
              "id": "TrojanDownloader:Linux/Mirai",
              "display_name": "TrojanDownloader:Linux/Mirai",
              "target": "/malware/TrojanDownloader:Linux/Mirai"
            },
            {
              "id": "Trojan:JS/Berbew",
              "display_name": "Trojan:JS/Berbew",
              "target": "/malware/Trojan:JS/Berbew"
            },
            {
              "id": "ALF:Backdoor:JAVA/Webshell",
              "display_name": "ALF:Backdoor:JAVA/Webshell",
              "target": null
            },
            {
              "id": "ALF:Backdoor:PowerShell/ReverseShell",
              "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
              "target": null
            },
            {
              "id": "Pegasus for Mac",
              "display_name": "Pegasus for Mac",
              "target": null
            },
            {
              "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
              "target": null
            },
            {
              "id": "XLoader for iOS - S0490",
              "display_name": "XLoader for iOS - S0490",
              "target": null
            },
            {
              "id": "Starfighter (Javascript)",
              "display_name": "Starfighter (Javascript)",
              "target": null
            },
            {
              "id": "Careto",
              "display_name": "Careto",
              "target": null
            },
            {
              "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
              "target": null
            },
            {
              "id": "Zeroaccess - S0027",
              "display_name": "Zeroaccess - S0027",
              "target": null
            },
            {
              "id": "#HSTR:HackTool:Win32/RemoteShell",
              "display_name": "#HSTR:HackTool:Win32/RemoteShell",
              "target": null
            },
            {
              "id": "#LowfiTrojan:HTML/Iframe",
              "display_name": "#LowfiTrojan:HTML/Iframe",
              "target": "/malware/#LowfiTrojan:HTML/Iframe"
            },
            {
              "id": "HTML Smuggling",
              "display_name": "HTML Smuggling",
              "target": null
            },
            {
              "id": "ALF:HTML/Phishing",
              "display_name": "ALF:HTML/Phishing",
              "target": "/malware/ALF:HTML/Phishing"
            },
            {
              "id": "Pegasus RDP module for Windows",
              "display_name": "Pegasus RDP module for Windows",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/MediaDownloader",
              "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1218.001",
              "name": "Compiled HTML File",
              "display_name": "T1218.001 - Compiled HTML File"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            },
            {
              "id": "T1454",
              "name": "Malicious SMS Message",
              "display_name": "T1454 - Malicious SMS Message"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1553.004",
              "name": "Install Root Certificate",
              "display_name": "T1553.004 - Install Root Certificate"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1476",
              "name": "Deliver Malicious App via Other Means",
              "display_name": "T1476 - Deliver Malicious App via Other Means"
            },
            {
              "id": "T1078.004",
              "name": "Cloud Accounts",
              "display_name": "T1078.004 - Cloud Accounts"
            },
            {
              "id": "T1114.002",
              "name": "Remote Email Collection",
              "display_name": "T1114.002 - Remote Email Collection"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1021.001",
              "name": "Remote Desktop Protocol",
              "display_name": "T1021.001 - Remote Desktop Protocol"
            },
            {
              "id": "T1021.006",
              "name": "Windows Remote Management",
              "display_name": "T1021.006 - Windows Remote Management"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1059.004",
              "name": "Unix Shell",
              "display_name": "T1059.004 - Unix Shell"
            },
            {
              "id": "T1094",
              "name": "Custom Command and Control Protocol",
              "display_name": "T1094 - Custom Command and Control Protocol"
            },
            {
              "id": "T1088",
              "name": "Bypass User Account Control",
              "display_name": "T1088 - Bypass User Account Control"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1596.001",
              "name": "DNS/Passive DNS",
              "display_name": "T1596.001 - DNS/Passive DNS"
            },
            {
              "id": "T1596.004",
              "name": "CDNs",
              "display_name": "T1596.004 - CDNs"
            },
            {
              "id": "T1563.002",
              "name": "RDP Hijacking",
              "display_name": "T1563.002 - RDP Hijacking"
            },
            {
              "id": "T1019",
              "name": "System Firmware",
              "display_name": "T1019 - System Firmware"
            },
            {
              "id": "T1011",
              "name": "Exfiltration Over Other Network Medium",
              "display_name": "T1011 - Exfiltration Over Other Network Medium"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Civil",
            "People",
            "Civilians"
          ],
          "TLP": "green",
          "cloned_from": "687992eceac6f12e9cebd65f",
          "export_count": 89,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 14786,
            "CIDR": 3,
            "FileHash-MD5": 2,
            "domain": 8084,
            "email": 1,
            "hostname": 9967,
            "FileHash-SHA256": 5018,
            "CVE": 1,
            "IPv4": 10
          },
          "indicator_count": 37872,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 152,
          "modified_text": "151 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68bfa32ebab9e36508f3c87e",
          "name": "IOC - Inside the Kimsuky Leak: How the \u201cKim\u201d Dump Exposed North Korea\u2019s Credential Theft Playbook",
          "description": "A rare and revealing breach attributed to a North Korean-affiliated actor, known only as \u201cKim\u201d as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor\u2019s operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The \u201cKim\u201d dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.",
          "modified": "2025-10-09T03:04:01.245000",
          "created": "2025-09-09T03:46:54.912000",
          "tags": [
            "spoofed",
            "pastebin",
            "ip addresses",
            "taiwan",
            "national center",
            "brute forcing",
            "infrastructure",
            "vps provider",
            "china unicom",
            "henan mobile"
          ],
          "references": [
            "https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 6,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "celestre",
            "id": "295357",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 6
          },
          "indicator_count": 6,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 121,
          "modified_text": "193 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68bc38b2ad48290eb84e73f4",
          "name": "Inside the Kimsuky Leak: How the Kim Dump Exposed North Koreas Credential Theft Playbook .",
          "description": "The recent leak attributed to a North Korean threat actor known as \"Kim\" has revealed significant insights into the Kimsuky (APT43) group\u2019s operational tactics, primarily focused on credential theft against South Korean and Taiwanese networks. This breach underscores the actor's use of a hybrid model that incorporates tools and infrastructure typically associated with Chinese cyber operations.\n\nThe leaked data includes command-line histories demonstrating an active malware development environment that employs NASM (Netwide Assembler), highlighting a hands-on approach to malware creation specifically targeting Windows systems. Noteworthy files such as 136001_env.key suggest the theft of sensitive South Korean Government PKI materials, implicating direct compromise of state cryptographic keys that would facilitate identity spoofing in governmental systems.",
          "modified": "2025-10-06T13:02:54.613000",
          "created": "2025-09-06T13:35:46.056000",
          "tags": [
            "taiwan",
            "details regions",
            "south korea",
            "government",
            "telecom",
            "enterprise it",
            "compromise",
            "iocs",
            "spoofed",
            "pastebin"
          ],
          "references": [
            "https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1566.002",
              "name": "Spearphishing Link",
              "display_name": "T1566.002 - Spearphishing Link"
            },
            {
              "id": "T1059.005",
              "name": "Visual Basic",
              "display_name": "T1059.005 - Visual Basic"
            },
            {
              "id": "T1059.002",
              "name": "AppleScript",
              "display_name": "T1059.002 - AppleScript"
            },
            {
              "id": "T1555",
              "name": "Credentials from Password Stores",
              "display_name": "T1555 - Credentials from Password Stores"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1562.001",
              "name": "Disable or Modify Tools",
              "display_name": "T1562.001 - Disable or Modify Tools"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1592",
              "name": "Gather Victim Host Information",
              "display_name": "T1592 - Gather Victim Host Information"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1567.002",
              "name": "Exfiltration to Cloud Storage",
              "display_name": "T1567.002 - Exfiltration to Cloud Storage"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "PetrP.73",
            "id": "154605",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 1,
            "domain": 6,
            "hostname": 1
          },
          "indicator_count": 8,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 172,
          "modified_text": "195 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68596260a9ca6c4cc92ca068",
          "name": "Delete service | Affects Threat Research Platforms",
          "description": "Delete service attacking threat researchers platforms. Deletes , blocks, scrambles , attaches to accounts like an overlord monitoring and deletion of Io\u2019s across various platforms. \n\nIDS Rules: PROTOCOL-ICMP PATH MTU denial of service attempt\n\u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\u2022 Matches rule PROTOCOL-ICMP Echo Reply\nInteresting: TLS: SNI: slscr.update.microsoft.com\nSNI: nexusrules.officeapps.live.com\nSNI: login.live.com\nSNI: client.wns.windows.com",
          "modified": "2025-08-20T04:13:22.641000",
          "created": "2025-06-23T14:19:12.328000",
          "tags": [
            "ta0004 defense",
            "evasion ta0005",
            "command",
            "control ta0011",
            "oc0006",
            "get http",
            "resolved ips",
            "dns resolutions",
            "request",
            "response",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "ip address",
            "country name",
            "cname",
            "port",
            "accept",
            "gmt ifnonematch",
            "url data",
            "icmp",
            "mutexes nothing",
            "data",
            "datacrashpad",
            "edge",
            "created",
            "nothing",
            "html internet",
            "html document",
            "ascii text",
            "gtmkvjvztk dl"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2401,
            "URL": 5856,
            "FileHash-SHA256": 3473,
            "domain": 2188,
            "FileHash-MD5": 123,
            "FileHash-SHA1": 120,
            "CVE": 2
          },
          "indicator_count": 14163,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "243 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66c089a12a25bb3a8d5c5b5f",
          "name": "WhinySuckBaby",
          "description": "Files from a Virus that has plagued my life for the past 7 months. Preboots Bios and spreads via bluetooth.\nInfected Best Buy's network, which they deny, causing me to call it The Best Buy Virus. Previously I referred to it everywhere as WhinySuckyBaby because of how childish the individual on the other side is.",
          "modified": "2025-05-15T09:15:41.046000",
          "created": "2024-08-17T11:29:37.460000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Jeff4Son",
            "id": "291365",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 284,
            "FileHash-SHA1": 284,
            "FileHash-SHA256": 764,
            "URL": 420,
            "domain": 365,
            "hostname": 1217,
            "email": 1,
            "FilePath": 1,
            "SSLCertFingerprint": 9
          },
          "indicator_count": 3345,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 31,
          "modified_text": "340 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66d0c4cb716b88c464c666c3",
          "name": "The Best Buy Virus - Spreads Via Bluetooth, Pre-Boots Bios",
          "description": "https://any.run/report/c6240ca88eed5b237451d4ceab51a5df1e8bc3b0a4a0e099fbe4b9f0d5cf23a2/bb5def03-bc05-461a-8f31-dac27aa379a3#i-table-processes-e4bd3114-7005-4ba7-96c9-337696f5c010\n\nFormerly referred to as WhinySuckyBaby before Best Buy Corporate elected to completely avoid all responsibility for the virus that they are spreading to anyone that walks into those stores. Infection is proven and on video at: Https://BiosVir.us or https://www.tiktok.com/@jeffersonultra/video/7401970649561894150",
          "modified": "2025-05-15T09:15:39.493000",
          "created": "2024-08-29T18:58:19.338000",
          "tags": [
            "Bios",
            "Virus",
            "Sucky",
            "Bluetooth",
            "CryptoMining",
            "Keylogging",
            "Crypto",
            "Euif",
            "Best",
            "Persistant",
            "Survives Reformat",
            "No Help",
            "Buy",
            "WhinySuckyBaby",
            "Squad",
            "Whiny",
            "Mark Monitor",
            "Digital Stalking",
            "Best Buy",
            "Baby",
            "w3.org",
            "Geek"
          ],
          "references": [
            "",
            "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806",
            "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150",
            "Https://BiosVir.us",
            "Https://BluetoothVirus.com",
            "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061",
            "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 32,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 13,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Jeff4Son",
            "id": "291365",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 422,
            "FileHash-SHA1": 420,
            "FileHash-SHA256": 966,
            "URL": 620,
            "domain": 531,
            "hostname": 1564,
            "email": 6,
            "SSLCertFingerprint": 13
          },
          "indicator_count": 4542,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 36,
          "modified_text": "340 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "https://www.tiktok.com/@jeffersonultra/video/7401970649561894150",
        "https://www.virustotal.com/graph/embed/g1313cfcd67d34e9c8d8438d6",
        "https://www.tiktok.com/@jeffersonultra/video/7404142059327687942?is_from_webapp=1&sender_device=pc&web_id=7408601050825868806",
        "Https://BiosVir.us",
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE",
        "Https://BluetoothVirus.com",
        "https://dti.domaintools.com/inside-the-kimsuky-leak-how-the-kim-dump-exposed-north-koreas-credential-theft-playbook/",
        "https://www.virustotal.com/gui/collection/f3bb0fe192a7a669edd061"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others"
          ],
          "malware_families": [
            "Paragon (pegasus variant)",
            "Trojandownloader:linux/mirai",
            "Xloader for ios - s0490",
            "Alf:html/phishing",
            "Zeroaccess - s0027",
            "#lowfi:exploit:java/cve-2012-0507",
            "Mirai (windows)",
            "Trojan:js/berbew",
            "Starfighter (javascript)",
            "Careto",
            "#lowfi:hstr:win32/mediadownloader",
            "Pegasus rdp module for windows",
            "Pegasus for mac",
            "#lowfi:siga:trojandownloader:msil/genmaldow",
            "#lowfitrojan:html/iframe",
            "Backdoor:linux/mirai",
            "Pegasus for android - mob-s0032",
            "Alf:backdoor:java/webshell",
            "Skynet",
            "#hstr:hacktool:win32/remoteshell",
            "Pegasus for ios - s0289",
            "Graphite (pegasus variant)",
            "Alf:backdoor:powershell/reverseshell",
            "Html smuggling"
          ],
          "industries": [
            "People",
            "Civilians",
            "Civil"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 22,
  "pulses": [
    {
      "id": "69ca5d583057aaefed16789a",
      "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
      "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
      "modified": "2026-03-30T11:45:14.761000",
      "created": "2026-03-30T11:24:08.053000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "default",
        "sha256",
        "sha1",
        "data",
        "info",
        "accept",
        "win64",
        "damage",
        "openssl",
        "shutdown",
        "direct",
        "explorer",
        "title",
        "payload",
        "rdap",
        "ip version",
        "address range",
        "cidr",
        "network name",
        "allocation type",
        "whois server",
        "entity sg679",
        "handle",
        "stealc config",
        "cncs http"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 92,
        "domain": 351,
        "URL": 392,
        "FileHash-MD5": 149,
        "FileHash-SHA1": 168,
        "FileHash-SHA256": 197,
        "email": 12,
        "hostname": 68,
        "CIDR": 4
      },
      "indicator_count": 1433,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 50,
      "modified_text": "20 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b92a27c47d4e28927364",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:26.110000",
      "created": "2026-03-12T13:01:30.067000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 51,
      "modified_text": "38 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b9295603a6100edfa8c8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:24:25.387000",
      "created": "2026-03-12T13:01:29.284000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 49,
      "modified_text": "38 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927aa7f10e82639d204",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.872000",
      "created": "2026-03-12T13:01:27.872000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b927c086397130c5d114",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:27.275000",
      "created": "2026-03-12T13:01:27.275000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b926871746ed8a1bc324",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:26.440000",
      "created": "2026-03-12T13:01:26.440000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b925e85c948d4dd608cc",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:01:25.852000",
      "created": "2026-03-12T13:01:25.852000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8e974189d2c41f07ed8",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:25.910000",
      "created": "2026-03-12T13:00:25.910000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8e74d2b3effd55f88c3",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:23.173000",
      "created": "2026-03-12T13:00:23.173000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b2b8dfbf8426a7a1d0146d",
      "name": "operation endgame clone by privacynotacrime (very detailed piece)",
      "description": "",
      "modified": "2026-03-12T13:00:15.427000",
      "created": "2026-03-12T13:00:15.427000",
      "tags": [
        "Spyware",
        "Trojan",
        "Pegasus",
        "DNS",
        "Graphite",
        "Paragon",
        "NSO",
        "NSO Group",
        "Security",
        "Samsung",
        "Google",
        "Amazon",
        "HP",
        "Cloudflare",
        "Endgame",
        "Europe",
        "Espionage",
        "Malware",
        "Campaign",
        "Civil",
        "People",
        "Civilians",
        "Crime",
        "Hackers",
        "Sony",
        "Wix",
        "Mobileye",
        "Skynet",
        "Android",
        "iOS",
        "Mac",
        "Windows",
        "Microsoft",
        "Linux",
        "Mirai",
        "Berbew",
        "Trojan Downloader",
        "html_smuggling",
        "FormBook",
        "stealer"
      ],
      "references": [],
      "public": 1,
      "adversary": "NSO Group - MIrai - Botnets - Spyware - Law enforcement - Intelligence agencies - Others",
      "targeted_countries": [
        "United States of America",
        "Australia",
        "Canada",
        "Denmark",
        "Finland",
        "Germany",
        "Ireland",
        "Lithuania",
        "Spain",
        "Poland",
        "Romania",
        "United Arab Emirates",
        "Ukraine",
        "Taiwan",
        "Sweden",
        "Norway",
        "Luxembourg"
      ],
      "malware_families": [
        {
          "id": "Pegasus for Android - MOB-S0032",
          "display_name": "Pegasus for Android - MOB-S0032",
          "target": null
        },
        {
          "id": "Pegasus for iOS - S0289",
          "display_name": "Pegasus for iOS - S0289",
          "target": null
        },
        {
          "id": "Skynet",
          "display_name": "Skynet",
          "target": null
        },
        {
          "id": "Graphite (Pegasus variant)",
          "display_name": "Graphite (Pegasus variant)",
          "target": null
        },
        {
          "id": "Paragon (Pegasus variant)",
          "display_name": "Paragon (Pegasus variant)",
          "target": null
        },
        {
          "id": "Backdoor:Linux/Mirai",
          "display_name": "Backdoor:Linux/Mirai",
          "target": "/malware/Backdoor:Linux/Mirai"
        },
        {
          "id": "Mirai (Windows)",
          "display_name": "Mirai (Windows)",
          "target": null
        },
        {
          "id": "TrojanDownloader:Linux/Mirai",
          "display_name": "TrojanDownloader:Linux/Mirai",
          "target": "/malware/TrojanDownloader:Linux/Mirai"
        },
        {
          "id": "Trojan:JS/Berbew",
          "display_name": "Trojan:JS/Berbew",
          "target": "/malware/Trojan:JS/Berbew"
        },
        {
          "id": "ALF:Backdoor:JAVA/Webshell",
          "display_name": "ALF:Backdoor:JAVA/Webshell",
          "target": null
        },
        {
          "id": "ALF:Backdoor:PowerShell/ReverseShell",
          "display_name": "ALF:Backdoor:PowerShell/ReverseShell",
          "target": null
        },
        {
          "id": "Pegasus for Mac",
          "display_name": "Pegasus for Mac",
          "target": null
        },
        {
          "id": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "display_name": "#Lowfi:SIGA:TrojanDownloader:MSIL/Genmaldow",
          "target": null
        },
        {
          "id": "XLoader for iOS - S0490",
          "display_name": "XLoader for iOS - S0490",
          "target": null
        },
        {
          "id": "Starfighter (Javascript)",
          "display_name": "Starfighter (Javascript)",
          "target": null
        },
        {
          "id": "Careto",
          "display_name": "Careto",
          "target": null
        },
        {
          "id": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "display_name": "#Lowfi:Exploit:Java/CVE-2012-0507",
          "target": null
        },
        {
          "id": "Zeroaccess - S0027",
          "display_name": "Zeroaccess - S0027",
          "target": null
        },
        {
          "id": "#HSTR:HackTool:Win32/RemoteShell",
          "display_name": "#HSTR:HackTool:Win32/RemoteShell",
          "target": null
        },
        {
          "id": "#LowfiTrojan:HTML/Iframe",
          "display_name": "#LowfiTrojan:HTML/Iframe",
          "target": "/malware/#LowfiTrojan:HTML/Iframe"
        },
        {
          "id": "HTML Smuggling",
          "display_name": "HTML Smuggling",
          "target": null
        },
        {
          "id": "ALF:HTML/Phishing",
          "display_name": "ALF:HTML/Phishing",
          "target": "/malware/ALF:HTML/Phishing"
        },
        {
          "id": "Pegasus RDP module for Windows",
          "display_name": "Pegasus RDP module for Windows",
          "target": null
        },
        {
          "id": "#Lowfi:HSTR:Win32/MediaDownloader",
          "display_name": "#Lowfi:HSTR:Win32/MediaDownloader",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1218.001",
          "name": "Compiled HTML File",
          "display_name": "T1218.001 - Compiled HTML File"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1001",
          "name": "Data Obfuscation",
          "display_name": "T1001 - Data Obfuscation"
        },
        {
          "id": "T1454",
          "name": "Malicious SMS Message",
          "display_name": "T1454 - Malicious SMS Message"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1553.004",
          "name": "Install Root Certificate",
          "display_name": "T1553.004 - Install Root Certificate"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1476",
          "name": "Deliver Malicious App via Other Means",
          "display_name": "T1476 - Deliver Malicious App via Other Means"
        },
        {
          "id": "T1078.004",
          "name": "Cloud Accounts",
          "display_name": "T1078.004 - Cloud Accounts"
        },
        {
          "id": "T1114.002",
          "name": "Remote Email Collection",
          "display_name": "T1114.002 - Remote Email Collection"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1021.001",
          "name": "Remote Desktop Protocol",
          "display_name": "T1021.001 - Remote Desktop Protocol"
        },
        {
          "id": "T1021.006",
          "name": "Windows Remote Management",
          "display_name": "T1021.006 - Windows Remote Management"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1059.004",
          "name": "Unix Shell",
          "display_name": "T1059.004 - Unix Shell"
        },
        {
          "id": "T1094",
          "name": "Custom Command and Control Protocol",
          "display_name": "T1094 - Custom Command and Control Protocol"
        },
        {
          "id": "T1088",
          "name": "Bypass User Account Control",
          "display_name": "T1088 - Bypass User Account Control"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1596.001",
          "name": "DNS/Passive DNS",
          "display_name": "T1596.001 - DNS/Passive DNS"
        },
        {
          "id": "T1596.004",
          "name": "CDNs",
          "display_name": "T1596.004 - CDNs"
        },
        {
          "id": "T1563.002",
          "name": "RDP Hijacking",
          "display_name": "T1563.002 - RDP Hijacking"
        },
        {
          "id": "T1019",
          "name": "System Firmware",
          "display_name": "T1019 - System Firmware"
        },
        {
          "id": "T1011",
          "name": "Exfiltration Over Other Network Medium",
          "display_name": "T1011 - Exfiltration Over Other Network Medium"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Civil",
        "People",
        "Civilians"
      ],
      "TLP": "green",
      "cloned_from": "687992eceac6f12e9cebd65f",
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 218783,
        "CIDR": 14,
        "FileHash-MD5": 1558,
        "domain": 171413,
        "email": 10,
        "hostname": 126790,
        "FileHash-SHA256": 135215,
        "CVE": 7,
        "IPv4": 5987,
        "FileHash-SHA1": 1386,
        "IPv6": 289
      },
      "indicator_count": 661452,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "38 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "html-load.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "html-load.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776680405.9446278
}