{ "type": "URL", "indicator": "http://example.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://example.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #1608", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain example.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain example.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2571447739, "indicator": "http://example.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69cc672eba03f3b7260a59d6", "name": "Honeypot Data \u2013 T-Pot - Sydney, Australia - April 2026", "description": "Rolling monthly view for April 2026 of indicators observed by T-Pot CE honeypots. Each run looks back the last 24h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2026-05-31T03:42:17.138000", "created": "2026-04-01T00:30:38.310000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8823, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 128, "IPv4": 8293, "IPv6": 267 }, "indicator_count": 8688, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "1 hour ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 0 }, { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8fab710bf464aa4ee1f17", "name": "Various phishing threats", "description": "", "modified": "2026-05-21T09:32:12.359000", "created": "2024-01-18T10:17:27.763000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 575, "domain": 86, "email": 15 }, "indicator_count": 692, "is_author": false, "is_subscribing": null, "subscriber_count": 161, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69428baa34e26652c938ef2a", "name": "Honeypot Data \u2013 T-Pot - Sydney, Australia - December 2025", "description": "Rolling monthly view for December 2025 of indicators observed by T-Pot CE honeypots. Each run looks back the last 1h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-17T10:53:30.791000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39910, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "FileHash-SHA256": 181 }, "indicator_count": 931, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691efbcbcb3378ab5a309f6d", "name": "Honeypot Data \u2013 T-Pot \u2013 Sydney, Australia \u2013 November 2025", "description": "Rolling monthly view for November 2025 of indicators observed by T-Pot CE honeypots. Each run looks back the last 1h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2025-12-30T03:00:57.780000", "created": "2025-11-20T11:30:18.274000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Australia" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 205, "FileHash-SHA256": 65 }, "indicator_count": 270, "is_author": false, "is_subscribing": null, "subscriber_count": 103, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6775b49c4307d0b7d98b7db3", "name": "RFC 6797: HTTP Strict Transport Security (HSTS)", "description": "https://www.rfc-editor.org/favicon.ico\n* If an attacker can spoof a redirect from an insecure victim site, e.g., to , where the latter is attacker-controlled and has an apparently valid certificate. This can lead to a different site with the IP address 101.1Alternatively, if such UA configuration is scriptable, then an attacker can cause UAs to execute his script and set HSTS Policies for whichever desired domains.23.145.167 , a spoof site.", "modified": "2025-01-31T22:00:34.298000", "created": "2025-01-01T21:33:16.319000", "tags": [ "pisa cieka", "warto", "data czas", "klawisz kolejka", "typ warto", "liczy warto", "usuwa cieka", "tablica czasu", "adowania warto", "czas warto", "jzykw klawisz", "lista jzykw", "protected", "zaobserwowany", "hsts", "hsts host", "hsts policy", "http strict", "known hsts", "section", "host", "track", "page", "november", "august", "model", "hosts", "meta", "phish", "jackson", "june", "malware", "service", "manipulation", "concept", "mogul", "tracker", "code", "form", "example", "thus", "davis", "gate", "beware", "martin", "april", "term", "engineering steering", "link text", "javascript", "ipr search", "ietf", "search words", "please", "document search", "search rfc", "search working", "idna2008", "unicode", "idna2003", "status", "unicode idna", "punycode", "processing", "step", "idna", "format", "stop", "korean", "mozilla", "phishing", "tips", "tracker https", "ipr http" ], "references": [ "https://www.rfc-editor.org/rfc/rfc6797#section-6.1", "https://datatracker.ietf.org/ipr/search/?rfc=6797&submit=rfc", "http://unicode.org/reports/tr46/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Engineering Steering", "display_name": "Engineering Steering", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "URL": 148, "domain": 36, "FileHash-SHA256": 319, "FileHash-SHA1": 41, "hostname": 50, "email": 4, "YARA": 1 }, "indicator_count": 665, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "auto_master", "master.cf", "arm64e-apple-ios-macabi.swiftinterface", "csh.cshrc", "main.cf.proto", "MCPeerID.h", "https://www.rfc-editor.org/rfc/rfc6797#section-6.1", "dbivport.h", "battery.csv", "usbDevices.csv", "etcHosts.csv", "systemControls.csv", "ntp_opendirectory.conf", "zshrc", "canonical", "chromeExtensions.csv", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack", "x86_64-apple-macos.swiftinterface", "header_checks", "interfaceDetails.csv", "kernel.csv", "arm64e-apple-macos.swiftinterface", "applications.csv", "resolv.conf", "master.cf.default", "Admin.tbd", "smb.conf", "interfaceAddrs.csv", "AOSKit.tbd", "profile", "newsyslog.conf", "manpaths", "http://unicode.org/reports/tr46/", "afpovertcp.cfg", "csh.logout", "hook_op_check.h", "notify.conf", "protocols", "gettytab", "pf.conf", "convenience.map", "shells", "LICENSE", "MultipeerConnectivity.h", "module.modulemap", "locate.rc", "group", "MCAdvertiserAssistant.h", "caching.html", "index.html.en", "csh.login", "kexts.txt", "bind.html", "BUILDING", "x86_64-apple-ios-macabi.swiftinterface", "launchdaemons.txt", "command_args.json", "relocated", "nfs.conf", "rtadvd.conf", "MCNearbyServiceAdvertiser.h", "https://n0paste.eu/UH6n5pD/", "content-negotiation.html", "APConfigurationSystem.tbd", "aliases", "mail.rc", "networks", "mounts.txt", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "paths", "systemInfo.csv", "pf.os", "auto_home", "version.plist", "MCBrowserViewController.h", "sudo_lecture", "generic", "xtab", "dbi_sql.h", "disk_structure.txt", "master.cf.proto", "postfix-files", "ftpusers", "autofs.conf", "Info.plist", "https://datatracker.ietf.org/ipr/search/?rfc=6797&submit=rfc", "rmtab", "sharingPreferences.csv", "users.csv", "main.cf", "DBIXS.h", "security_status.txt", "MultipeerConnectivity.tbd", "MCError.h", "irbrc", "zprofile", "mounts.csv", "rpc", "dbd_xsh.h", "asl.conf", "bounce.cf.default", "lber.h", "apfs_boot_mount.tbd", "sharedFolders.csv", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "crashes.csv", "man.conf", "bashrc", "sipConfig.csv", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "main.cf.default", "syslog.conf", "com.apple.screensharing.agent.launchd", "transport", "virtual", "LocalAuthentication.tbd", "LDAP.tbd", "CodeResources", "custom_header_checks", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "configuring.html", "makedefs.out", "MCNearbyServiceBrowser.h", "kern_loader.conf", "managedPolicies.csv", "MCSession.h", "access", "ttys", "preboot_archive_errors.log", "AppleFirmwareUpdate.tbd", "find.codes", "ldap.h", "rc.common", "sudoers", "bashrc_Apple_Terminal", "ntp.conf", "rc.netboot", "TLS_LICENSE", "passwd", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "Driver_xst.h", "custom-error.html", "user_launchagents.txt", "process_list.txt", "AirPlayReceiver.tbd", "certificates.csv", "zshrc_Apple_Terminal", "launchagents.txt", "dbixs_rev.h", "MultipeerConnectivity.apinotes", "diskEncryption.csv", "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "launchD.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Firstname", "Lastname", "Engineering steering" ], "industries": [ "Government", "Healthcare", "Technology", "Telecommunications", "Education" ], "unique_indicators": 505818 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/example.com", "whois": "http://whois.domaintools.com/example.com", "domain": "example.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69cc672eba03f3b7260a59d6", "name": "Honeypot Data \u2013 T-Pot - Sydney, Australia - April 2026", "description": "Rolling monthly view for April 2026 of indicators observed by T-Pot CE honeypots. Each run looks back the last 24h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2026-05-31T03:42:17.138000", "created": "2026-04-01T00:30:38.310000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8823, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 128, "IPv4": 8293, "IPv6": 267 }, "indicator_count": 8688, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "1 hour ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 0 }, { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a8fab710bf464aa4ee1f17", "name": "Various phishing threats", "description": "", "modified": "2026-05-21T09:32:12.359000", "created": "2024-01-18T10:17:27.763000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 575, "domain": 86, "email": 15 }, "indicator_count": 692, "is_author": false, "is_subscribing": null, "subscriber_count": 161, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69428baa34e26652c938ef2a", "name": "Honeypot Data \u2013 T-Pot - Sydney, Australia - December 2025", "description": "Rolling monthly view for December 2025 of indicators observed by T-Pot CE honeypots. Each run looks back the last 1h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-17T10:53:30.791000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39910, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 750, "FileHash-SHA256": 181 }, "indicator_count": 931, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "120 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694b02eb945649ff909f06d5", "name": "$RECYCLE . BIN\\ -> Part 2", "description": "E:\\Suss-SG2\\$RECYCLE.BIN\\\n\nVictim Google Pixel Telus ISP Norton AV Device\nDevice connected to AHS/Covenant Health, University of Alberta, Government of Alberta", "modified": "2026-01-28T02:03:16.337000", "created": "2025-12-23T21:00:27.029000", "tags": [ "Telus", "YEG", "AHS", "Pixel", "ConnectCare", "Norton", "UAlberta", "Google" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 65761, "FileHash-SHA1": 56561, "FileHash-SHA256": 43672, "domain": 1373, "email": 39, "URL": 466, "hostname": 818, "CVE": 3, "CIDR": 2 }, "indicator_count": 168695, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691efbcbcb3378ab5a309f6d", "name": "Honeypot Data \u2013 T-Pot \u2013 Sydney, Australia \u2013 November 2025", "description": "Rolling monthly view for November 2025 of indicators observed by T-Pot CE honeypots. Each run looks back the last 1h and appends newly seen indicators for this month. Signals are deduped and filtered (min event count threshold; private IPs excluded). Intended for defensive use; infrastructure may be compromised or spoofed. Sensor: T-Pot CE. Location: Sydney, Australia.", "modified": "2025-12-30T03:00:57.780000", "created": "2025-11-20T11:30:18.274000", "tags": [ "tpot", "honeypot", "sensor-tagged", "cowrie", "suricata", "dionaea", "honeytrap", "p0f", "fatt", "mailoney", "tanner", "sentrypeer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Australia" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "conrat45", "id": "280429", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_280429/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 205, "FileHash-SHA256": 65 }, "indicator_count": 270, "is_author": false, "is_subscribing": null, "subscriber_count": 103, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6775b49c4307d0b7d98b7db3", "name": "RFC 6797: HTTP Strict Transport Security (HSTS)", "description": "https://www.rfc-editor.org/favicon.ico\n* If an attacker can spoof a redirect from an insecure victim site, e.g., to , where the latter is attacker-controlled and has an apparently valid certificate. This can lead to a different site with the IP address 101.1Alternatively, if such UA configuration is scriptable, then an attacker can cause UAs to execute his script and set HSTS Policies for whichever desired domains.23.145.167 , a spoof site.", "modified": "2025-01-31T22:00:34.298000", "created": "2025-01-01T21:33:16.319000", "tags": [ "pisa cieka", "warto", "data czas", "klawisz kolejka", "typ warto", "liczy warto", "usuwa cieka", "tablica czasu", "adowania warto", "czas warto", "jzykw klawisz", "lista jzykw", "protected", "zaobserwowany", "hsts", "hsts host", "hsts policy", "http strict", "known hsts", "section", "host", "track", "page", "november", "august", "model", "hosts", "meta", "phish", "jackson", "june", "malware", "service", "manipulation", "concept", "mogul", "tracker", "code", "form", "example", "thus", "davis", "gate", "beware", "martin", "april", "term", "engineering steering", "link text", "javascript", "ipr search", "ietf", "search words", "please", "document search", "search rfc", "search working", "idna2008", "unicode", "idna2003", "status", "unicode idna", "punycode", "processing", "step", "idna", "format", "stop", "korean", "mozilla", "phishing", "tips", "tracker https", "ipr http" ], "references": [ "https://www.rfc-editor.org/rfc/rfc6797#section-6.1", "https://datatracker.ietf.org/ipr/search/?rfc=6797&submit=rfc", "http://unicode.org/reports/tr46/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Engineering Steering", "display_name": "Engineering Steering", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "URL": 148, "domain": 36, "FileHash-SHA256": 319, "FileHash-SHA1": 41, "hostname": 50, "email": 4, "YARA": 1 }, "indicator_count": 665, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://example.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://example.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780203430.33763 }