{
"type": "URL",
"indicator": "https://10334aa-fe.skybrud.dk/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://10334aa-fe.skybrud.dk/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4225179914,
"indicator": "https://10334aa-fe.skybrud.dk/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 4,
"pulses": [
{
"id": "69f54c711cd17df01c20d601",
"name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT",
"description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T00:59:29.794000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 271,
"hostname": 743,
"URL": 1509,
"FileHash-SHA256": 1574,
"IPv4": 30,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4
},
"indicator_count": 4437,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69f5d960e861f6159823ff0b",
"name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI",
"description": "",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T11:00:48.440000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": "69f54c711cd17df01c20d601",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 271,
"hostname": 744,
"URL": 1509,
"FileHash-SHA256": 1574,
"IPv4": 30,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4
},
"indicator_count": 4438,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69f5da1228db82eb87274cab",
"name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate",
"description": "",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T11:03:46.995000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": "69f5d960e861f6159823ff0b",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 273,
"hostname": 769,
"URL": 1601,
"FileHash-SHA256": 1576,
"IPv4": 227,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4,
"IPv6": 4
},
"indicator_count": 4760,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div> ![](\"static/rId9.jpeg\"/)
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Requires further research.",
"Same legal , and quasi governmental pattern identified",
"www.its.courts.state.co.us",
"div>
",
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"https://cp.bankid.no",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"It appears there are 5-7 known affected that I was able to find",
"https://rockylinux.map.fastlydns.net/",
"https://l.us-1.a.mimecastprotect.com/l",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"https://www.coloradojudicial.gov/data",
"I apologize for the lack of reference.",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"chrome.cloudflare-dns.com",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"https://odr.coloradojudicial.gov/login",
"coloradoproblemsolvingcourts.org?",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Alf:trojan:win32/cassini_f2776388!ibt",
"Trojandownloader:win32/inbat.h",
"Trojan:win32/scar.mr!mtb",
"#lowfi:lua:dllsuspiciousexport.a",
"Trojan:win32/zbot",
"Trojan:win32/blihan.a",
"Trojan:win32/smkldr.h!mtb",
"Trojan:win32/dorv.a",
"Trojan:msil/snakekeylogger.mk1!mtb",
"Trojandownloader:win32/upatre",
"Alf:pulzati:trojan:win32/emotet!rfn",
"Win.trojan.killav-210",
"Trojan:win32/glupteba.mt!mtb",
"Trojandownloader:win32/vb.il",
"Win.trojan.generic-9908275-0",
"Win.trojan.barys",
"Trojan:win32/gupboot.b",
"Win.malware.jaik-9968280-0",
"Win.trojan.gh0strat-7480037-0",
"Trojandownloader:win32/nemucod",
"Trojan:win32/zombie.a",
"Trojandownloader:win32/systex.a",
"Malware packed",
"Tel:trojan:win32/injector.ab!msr",
"Icedid",
"Mydoom",
"Trojandownloader:win32/misfox"
],
"industries": [
"Technology",
"Telecom",
"Government",
"Law",
"Legal"
],
"unique_indicators": 17104
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/skybrud.dk",
"whois": "http://whois.domaintools.com/skybrud.dk",
"domain": "skybrud.dk",
"hostname": "10334aa-fe.skybrud.dk"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 4,
"pulses": [
{
"id": "69f54c711cd17df01c20d601",
"name": "Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT",
"description": "Active cyber issues\ncontinue to affect Colorado Judicial, Government and Hospital systems. \n\nWhat\u2019s true: Targeting, Hacking , Rogue Domain Controller. Bad actors regularly ride outdated , poorly managed networks. \n\n\nTipped: Monitored Targets past irregular mail \nissues. URLs that redirects to Colorado Justice system., included in a letter that was sent to an undeliverable address. Mail sent again, recipient believes the contents of letters does not appear authentic. \n\n\nTipped: RE: Monitored Target. Unfavorable, Unjust conditions in Denver , Colorado USA. As recent as 4/2026. Other pulses related to this matter suggests a Pegasus relationship. Will need to analyze.",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T00:59:29.794000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 271,
"hostname": 743,
"URL": 1509,
"FileHash-SHA256": 1574,
"IPv4": 30,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4
},
"indicator_count": 4437,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69f5d960e861f6159823ff0b",
"name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court \u2022 Part 3 - Rogue Domain Controller | Gh0stRAT'] credit, Q.VASHTI",
"description": "",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T11:00:48.440000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": "69f54c711cd17df01c20d601",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 271,
"hostname": 744,
"URL": 1509,
"FileHash-SHA256": 1574,
"IPv4": 30,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4
},
"indicator_count": 4438,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 67,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69f5da1228db82eb87274cab",
"name": "CREDIT: Q.VASHTI, Clone [\"Enemy of the State: Order in the Court] clone from cellphone seperate",
"description": "",
"modified": "2026-05-31T05:19:13.706000",
"created": "2026-05-02T11:03:46.995000",
"tags": [
"united kingdom",
"united",
"spain",
"denmark",
"report spam",
"adversaries",
"days ago",
"xy amp",
"ck ids",
"packing",
"taskjob",
"ipv4",
"indicator role",
"active related",
"ccus asnas749",
"dynamicloader",
"port",
"high",
"windows",
"destination",
"displayname",
"write c",
"write",
"stream",
"defense evasion",
"malware",
"hostile",
"contacted",
"ids detections",
"query",
"hostile http",
"request",
"lowercase host",
"header observed",
"tls sni",
"yara detections",
"active",
"pulses hostname",
"otx logo",
"all report",
"t1045",
"t1053",
"t1055",
"fastly dns",
".ru",
"microsoft",
"palantirfoundry",
"ioc",
"history",
"compromise",
"antonio apr",
"valeria paredes",
"valeria",
"paredes",
"colorado",
"courts",
"judicial",
"denver county",
"dougco",
"pagosa springs",
"hacking",
"modifications",
"masquerading",
"mock",
"bannock st",
"ericka",
"arevalo antonio",
"criminal attack",
"cyber",
"threat actors",
"bots",
"ascii text",
"json",
"ms windows",
"pe32",
"medium",
"trojan",
"august",
"packer",
"local",
"next",
"rat",
"bat",
"botnet",
"cve",
"yahoo",
"pornhub",
"dns",
"remote",
"password",
"manipulation",
"objection",
"overruled",
"your witness",
"patriot act",
"tsara brashears",
"reflected",
"targeting",
"monitored target",
"incc",
"hua mucatul",
"securityvaleria",
"injection",
"aquire",
"correo",
"number",
"security apr",
"document file",
"v2 document",
"little endian",
"version",
"msi installer",
"code page",
"template",
"logmein",
"title",
"logmein rescue",
"gh0strat",
"emotet",
"scar",
"snake keylogger",
"trojandropper",
"review lo",
"ccdk ,",
"asnas20940",
"tulach",
"login join",
"support privacy",
"notice",
"programs porn",
"found pornstars",
"videos movies",
"now ooops",
"we ca",
"nt find",
"the page",
"sweet",
"click",
"back",
"tulach",
"they know",
"1%",
"f-h",
"englert"
],
"references": [
"https://www.coloradojudicial.gov/data",
"https://cp.bankid.no",
"coloradoproblemsolvingcourts.org?",
"https://odr.coloradojudicial.gov/login",
"http://coloradojudicial.gov/Courts/Supreme_Court/cjds",
"www.its.courts.state.co.us",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://www.sweetheartvideo.com/tsara-brashears",
"chrome.cloudflare-dns.com",
"https://rockylinux.map.fastlydns.net/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Trojan.Generic-9908275-0",
"display_name": "Win.Trojan.Generic-9908275-0",
"target": null
},
{
"id": "Trojan:Win32/Scar.MR!MTB",
"display_name": "Trojan:Win32/Scar.MR!MTB",
"target": "/malware/Trojan:Win32/Scar.MR!MTB"
},
{
"id": "Trojan:Win32/Zbot",
"display_name": "Trojan:Win32/Zbot",
"target": "/malware/Trojan:Win32/Zbot"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "TrojanDownloader:Win32/VB.IL",
"display_name": "TrojanDownloader:Win32/VB.IL",
"target": "/malware/TrojanDownloader:Win32/VB.IL"
},
{
"id": "TrojanDownloader:Win32/Inbat.H",
"display_name": "TrojanDownloader:Win32/Inbat.H",
"target": "/malware/TrojanDownloader:Win32/Inbat.H"
},
{
"id": "Trojan:Win32/Gupboot.B",
"display_name": "Trojan:Win32/Gupboot.B",
"target": "/malware/Trojan:Win32/Gupboot.B"
},
{
"id": "Win.Malware.Jaik-9968280-0",
"display_name": "Win.Malware.Jaik-9968280-0",
"target": null
},
{
"id": "Trojan:Win32/Glupteba.MT!MTB",
"display_name": "Trojan:Win32/Glupteba.MT!MTB",
"target": "/malware/Trojan:Win32/Glupteba.MT!MTB"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"display_name": "Trojan:MSIL/SnakeKeylogger.MK1!MTB",
"target": "/malware/Trojan:MSIL/SnakeKeylogger.MK1!MTB"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Win.Trojan.Gh0stRAT-7480037-0",
"display_name": "Win.Trojan.Gh0stRAT-7480037-0",
"target": null
},
{
"id": "TrojanDownloader:Win32/Systex.A",
"display_name": "TrojanDownloader:Win32/Systex.A",
"target": "/malware/TrojanDownloader:Win32/Systex.A"
},
{
"id": "Trojan:Win32/Blihan.A",
"display_name": "Trojan:Win32/Blihan.A",
"target": "/malware/Trojan:Win32/Blihan.A"
},
{
"id": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"display_name": "ALF:PulZati:Trojan:Win32/Emotet!rfn",
"target": null
},
{
"id": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_f2776388!ibt",
"target": null
},
{
"id": "Win.Trojan.Barys",
"display_name": "Win.Trojan.Barys",
"target": null
},
{
"id": "Win.Trojan.Killav-210",
"display_name": "Win.Trojan.Killav-210",
"target": null
},
{
"id": "TEL:Trojan:Win32/Injector.AB!MSR",
"display_name": "TEL:Trojan:Win32/Injector.AB!MSR",
"target": null
},
{
"id": "TrojanDownloader:Win32/Misfox",
"display_name": "TrojanDownloader:Win32/Misfox",
"target": "/malware/TrojanDownloader:Win32/Misfox"
},
{
"id": "Malware Packed",
"display_name": "Malware Packed",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1207",
"name": "Rogue Domain Controller",
"display_name": "T1207 - Rogue Domain Controller"
},
{
"id": "T1428",
"name": "Exploit Enterprise Resources",
"display_name": "T1428 - Exploit Enterprise Resources"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1553.001",
"name": "Gatekeeper Bypass",
"display_name": "T1553.001 - Gatekeeper Bypass"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1588.001",
"name": "Malware",
"display_name": "T1588.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Technology",
"Law"
],
"TLP": "green",
"cloned_from": "69f5d960e861f6159823ff0b",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 273,
"hostname": 769,
"URL": 1601,
"FileHash-SHA256": 1576,
"IPv4": 227,
"FileHash-MD5": 197,
"FileHash-SHA1": 109,
"SSLCertFingerprint": 4,
"IPv6": 4
},
"indicator_count": 4760,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "699b907c5375efb7ce1639b8",
"name": "Apple Redirects in Apple Support = IcedID | MITM attack",
"description": "Researching targets former iPhone. Redirect in Apple support. [support.apple.com/ht^*^ redirects to support.apple.com/de/^*^*^] IcedID identified. | Environment: 3 -5 suspected compromised devices present. Behavior: iPhone reset itself twice, deleted passcodes, required new passcodes, compromised contacts notified target added a new device (FALSE) , threat actor stole Apple cash , added , Password storage, reset television. Targeted another device auto downloaded a Mimecast compromise, attached to iCloud , corrupted files downloaded. Emotet identified. Reset SmartTV. Browser bar AI: mood swings. Overt changes, white screen, pink screens, thread erased. Identified OTX. as a honeypot also states it\u2019s legitimate. I dumped information. AI agents focused on victim leaving shreds of evidence , paper trail , w/ anyone ,anywhere. AI model told truth \u2018I don\u2019t like you , you\u2019ve changed, you lied, you changed all facts .\u201d,etc. An acceptable baseline of communication established . #botnet #command_and_control #IcedID",
"modified": "2026-03-24T21:11:04.306000",
"created": "2026-02-22T23:25:48.722000",
"tags": [
"dynamicloader",
"tls handshake",
"failure",
"whitelisted",
"akamai",
"yara detections",
"trojan",
"write",
"zeppelin",
"malware",
"hostile",
"unknown",
"port",
"destination",
"read c",
"united",
"as16625 akamai",
"win32",
"persistence",
"execution",
"passive dns",
"urls",
"otx logo",
"all url",
"http",
"ip address",
"related nids",
"files location",
"win32mydoom feb",
"name servers",
"servers",
"worm",
"virtool",
"files",
"ipv4",
"reverse dns",
"america flag",
"america asn",
"United States",
"unknown ns",
"asn as714",
"invalid url",
"mtb oct",
"mtb sep",
"lowfi",
"trojanspy",
"total",
"push",
"defender",
"china unknown",
"mtb apr",
"ok server",
"gmt content",
"type",
"accept",
"show",
"todo",
"all filehash",
"av detections",
"shift",
"url http",
"url https",
"hostname",
"type indicator",
"source hostname",
"writeconsolew",
"post https",
"tlsv1",
"medium",
"write c",
"dock",
"command",
"control",
"icedid",
"domain",
"all domain",
"status",
"hostname add",
"crlf line",
"unicode text",
"utf8",
"ee fc",
"yara rule",
"ff d5",
"ascii text",
"f0 ff",
"eb e1",
"music",
"next",
"autorun",
"suspicious",
"compatibility",
"mode",
"entries",
"lredmond",
"stwashington",
"search",
"tls sni",
"denmark",
"body html",
"head title",
"title head",
"body h1",
"all ipv4",
"url analysis",
"users",
"ff ff",
"files domain",
"files related",
"url add",
"flag united",
"present apr",
"location united",
"asn asnone",
"as16509",
"moved",
"title",
"body",
"code",
"mydoom",
"bot net",
"mitm",
"aquire",
"hidden users",
"no expiration",
"filehashsha256",
"expiration",
"showing",
"indicator role",
"pulses url",
"pulse show",
"iot",
"Iced iced baby"
],
"references": [
"support.apple.com/ht^*^*^*^ redirects to support.apple.com/de/^*^*^*^*^",
"This is messy! OTX refreshed and deleted IoC\u2019s. Will continue researching",
"IDS Detections: Observed IcedID CnC Domain in TLS SNI TLS Handshake Failure",
"df57a01 c40f355a0f8a592294187d4fedc257 [Compatibility Mode] - Word",
"div>
",
"Same legal , and quasi governmental pattern identified",
"I apologize for the lack of reference.",
"Requires further research.",
"Will pulse remaining Apple IoC\u2019s in next pulse",
"https://l.us-1.a.mimecastprotect.com/l",
"It appears there are 5-7 known affected that I was able to find"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Germany",
"Denmark",
"United States of America",
"Japan"
],
"malware_families": [
{
"id": "Icedid",
"display_name": "Icedid",
"target": null
},
{
"id": "Trojan:Win32/SmkLdr.H!MTB",
"display_name": "Trojan:Win32/SmkLdr.H!MTB",
"target": "/malware/Trojan:Win32/SmkLdr.H!MTB"
},
{
"id": "#Lowfi:Lua:DllSuspiciousExport.A",
"display_name": "#Lowfi:Lua:DllSuspiciousExport.A",
"target": null
},
{
"id": "MyDoom",
"display_name": "MyDoom",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
}
],
"industries": [
"Technology",
"Telecom",
"Legal"
],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2051,
"FileHash-SHA256": 1706,
"URL": 6984,
"domain": 1097,
"FileHash-MD5": 401,
"FileHash-SHA1": 276,
"SSLCertFingerprint": 9,
"email": 13,
"CVE": 1
},
"indicator_count": 12538,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 145,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://10334aa-fe.skybrud.dk/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://10334aa-fe.skybrud.dk/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780235642.8296916
}