{ "type": "URL", "indicator": "https://13.location.search", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://13.location.search", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4204885905, "indicator": "https://13.location.search", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b1f368db0d00947ef729c2", "name": "\u5403\u74dc\u770b\u9ed1\u6599\u5c31\u4e0a - \u9ed1\u6599\u5403\u74dc\u7f51 | \u70ed\u95e8\u4e8b\u4ef6\u7206\u6599\u4e0e\u771f\u76f8", "description": "Why is this type of malicious found on a US citizens device? Found in a link extracted from a glitching device.. Palantir\u2019s Prometheus Intelligence Technology tracking and AI at work.\n#tracker #http_redirect #onlyfans_? #bombing #airlines #lalal.ai #openclaw #targeted", "modified": "2026-04-10T22:04:28.607000", "created": "2026-03-11T22:57:44.584000", "tags": [ "\u9ed1\u6599", "\u5403\u74dc", "\u5403\u74dc\u7f51", "51\u5403\u74dc", "\u9ed1\u6599\u4e0d\u6253\u70ca", "\u9ed1\u6599\u5403\u74dc\u7f51", "\u70ed\u95e8\u5927\u74dc", "\u660e\u661f\u8d44\u8baf", "\u7f51\u7ea2\u9ed1\u6599", "\u5185\u6db5\u6bb5\u5b50", "\u4eca\u65e5\u5403\u74dc", "\u5403\u74dc\u65b0\u95fb", "\u9ed1\u6599\u66dd\u5149", "\u516b\u5366\u65b0\u95fb", "\u793e\u4f1a\u70ed\u70b9", "\u5403\u74dc\u7fa4\u4f17", "\u70ed\u70b9\u4e8b\u4ef6", "\u6bcf\u65e5\u5403\u74dc", "\u7f51\u7ea2\u5403\u74dc", "\u4eca\u65e5\u5927\u74dc", "\u5403\u74dc\u7206\u6599", "\u5403\u74dc\u4e2d\u5fc3", "\u4eca\u65e5\u70ed\u74dc", "\u5403\u74dc\u9ed1\u6599", "\u9ed1\u6599\u6cc4\u5bc6", "\u91cd\u78c5\u9ed1\u6599", "\u5403\u74dc\u6cc4\u5bc6", "\u4eca\u65e5\u9ed1\u6599", "\u6700\u65b0\u9ed1\u6599", "\u5403\u74dc\u66dd\u5149", "\u5403\u74dc\u8d44\u6e90", "\u91cd\u78c5\u5403\u74dc", "\u5a31\u4e50\u70ed\u74dc", "chrome", "cos ai", "a serif", "sans serif", "top10", "openclaw", "21200", "onlyfans", "strong", "dmca copyright", "address google", "safe browsing", "data upload", "extraction", "lte all", "enter sc", "type o", "extra", "referen https", "lte o", "type", "extr data", "include review", "exclude sugges", "failed", "hong kong", "passive dns", "otx logo", "all ipv4", "url analysis", "urls", "files", "location hong", "value", "march", "0x1595 function", "0x19b5 object", "tracker", "base64 object", "cookie function", "mlog", "localconst", "style function", "reverse dns", "general full", "url https", "resource", "software", "hash", "security tls", "singapore", "asn139341", "aceasap ace", "ip address", "cloudflare", "report", "whois", "as13335", "name lookup", "website", "kong", "ssl certificate", "http", "request chain", "nl redirected", "http redirect", "kb script", "protocol h3", "security quic", "seychelles", "asn13335", "cloudflarenet", "js function", "portable descr", "internet", "iana", "iana web", "stepgo limited", "assigned pa", "afrinic", "filtered parent", "ebene", "mahe", "stepgo", "united", "unknown ns", "script script", "moved", "record value", "title", "0 lte", "find s", "size", "mitre att", "ck id", "ck matrix", "root", "hybrid", "general", "path", "click", "strings", "yrbyd", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "initial access", "lalal.ai", "record type", "ttl value", "thumbprint", "ios ping", "defense evasion", "id name", "malicious", "t1055.015 list planting", "sha1", "copy md5", "sha256", "pattern match", "show technique", "unknown", "accept", "date", "local", "starfield", "encrypt", "iframe", "prometheus intelligence technology", "apple", "cyber attacks", "usptracker.com", "android" ], "references": [ "https://airline.cmntgoyq.com/ | Prometheus Intelligence Technology", "lalal.ai", "logstream-mystifying-tharp-7si72pw.cribl.cloud", "quantum-staging.emsbk.com", "spf.google.com", "Amazon.com", "mc.yandex.com \u2022 mc.yandex.ru \u2022 yandex.com \u2022 yandex.ru", "mc.yandex.com/metrika/ \u2022 mc.yandex.com/watch/99885987/", "api-cookie.click", "delete-me.bgs.beanie.cloud", "bridge-websocket-evolosciuc.devint01.goodleap.com", "https://bombing.gwuzafo.cc/", "test-ssa.pineapples.dev", "sso.dev.applemarketingtools.com", "containers-oceanus.palantirsec.com", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "kadmos.bot \u2022 cutout.bot \u2022 scenebot.com", "https://www.lalal.ai/privacy-policy/InvalidOutputFolderErrorQAndroidJniObject", "Will sort to identify malware", "https://hybrid-analysis.com/sample/9e7bfc9fb60aa3e3f3c5b91f84ebf8b07e35893e1491149420535cd494bb8a32/69b1b467625a11ce330587db" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4097, "domain": 849, "hostname": 2440, "FileHash-MD5": 149, "FileHash-SHA1": 131, "FileHash-SHA256": 955, "CIDR": 5, "email": 6, "SSLCertFingerprint": 8 }, "indicator_count": 8640, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b235439d56630943ea31e6", "name": "Clone by Q Vashti (excellent systemic analyzer I may add)", "description": "", "modified": "2026-04-10T22:04:28.607000", "created": "2026-03-12T03:38:43.171000", "tags": [ "\u9ed1\u6599", "\u5403\u74dc", "\u5403\u74dc\u7f51", "51\u5403\u74dc", "\u9ed1\u6599\u4e0d\u6253\u70ca", "\u9ed1\u6599\u5403\u74dc\u7f51", "\u70ed\u95e8\u5927\u74dc", "\u660e\u661f\u8d44\u8baf", "\u7f51\u7ea2\u9ed1\u6599", "\u5185\u6db5\u6bb5\u5b50", "\u4eca\u65e5\u5403\u74dc", "\u5403\u74dc\u65b0\u95fb", "\u9ed1\u6599\u66dd\u5149", "\u516b\u5366\u65b0\u95fb", "\u793e\u4f1a\u70ed\u70b9", "\u5403\u74dc\u7fa4\u4f17", "\u70ed\u70b9\u4e8b\u4ef6", "\u6bcf\u65e5\u5403\u74dc", "\u7f51\u7ea2\u5403\u74dc", "\u4eca\u65e5\u5927\u74dc", "\u5403\u74dc\u7206\u6599", "\u5403\u74dc\u4e2d\u5fc3", "\u4eca\u65e5\u70ed\u74dc", "\u5403\u74dc\u9ed1\u6599", "\u9ed1\u6599\u6cc4\u5bc6", "\u91cd\u78c5\u9ed1\u6599", "\u5403\u74dc\u6cc4\u5bc6", "\u4eca\u65e5\u9ed1\u6599", "\u6700\u65b0\u9ed1\u6599", "\u5403\u74dc\u66dd\u5149", "\u5403\u74dc\u8d44\u6e90", "\u91cd\u78c5\u5403\u74dc", "\u5a31\u4e50\u70ed\u74dc", "chrome", "cos ai", "a serif", "sans serif", "top10", "openclaw", "21200", "onlyfans", "strong", "dmca copyright", "address google", "safe browsing", "data upload", "extraction", "lte all", "enter sc", "type o", "extra", "referen https", "lte o", "type", "extr data", "include review", "exclude sugges", "failed", "hong kong", "passive dns", "otx logo", "all ipv4", "url analysis", "urls", "files", "location hong", "value", "march", "0x1595 function", "0x19b5 object", "tracker", "base64 object", "cookie function", "mlog", "localconst", "style function", "reverse dns", "general full", "url https", "resource", "software", "hash", "security tls", "singapore", "asn139341", "aceasap ace", "ip address", "cloudflare", "report", "whois", "as13335", "name lookup", "website", "kong", "ssl certificate", "http", "request chain", "nl redirected", "http redirect", "kb script", "protocol h3", "security quic", "seychelles", "asn13335", "cloudflarenet", "js function", "portable descr", "internet", "iana", "iana web", "stepgo limited", "assigned pa", "afrinic", "filtered parent", "ebene", "mahe", "stepgo", "united", "unknown ns", "script script", "moved", "record value", "title", "0 lte", "find s", "size", "mitre att", "ck id", "ck matrix", "root", "hybrid", "general", "path", "click", "strings", "yrbyd", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "initial access", "lalal.ai", "record type", "ttl value", "thumbprint", "ios ping", "defense evasion", "id name", "malicious", "t1055.015 list planting", "sha1", "copy md5", "sha256", "pattern match", "show technique", "unknown", "accept", "date", "local", "starfield", "encrypt", "iframe", "prometheus intelligence technology", "apple", "cyber attacks", "usptracker.com", "android" ], "references": [ "https://airline.cmntgoyq.com/ | Prometheus Intelligence Technology", "lalal.ai", "logstream-mystifying-tharp-7si72pw.cribl.cloud", "quantum-staging.emsbk.com", "spf.google.com", "Amazon.com", "mc.yandex.com \u2022 mc.yandex.ru \u2022 yandex.com \u2022 yandex.ru", "mc.yandex.com/metrika/ \u2022 mc.yandex.com/watch/99885987/", "api-cookie.click", "delete-me.bgs.beanie.cloud", "bridge-websocket-evolosciuc.devint01.goodleap.com", "https://bombing.gwuzafo.cc/", "test-ssa.pineapples.dev", "sso.dev.applemarketingtools.com", "containers-oceanus.palantirsec.com", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "kadmos.bot \u2022 cutout.bot \u2022 scenebot.com", "https://www.lalal.ai/privacy-policy/InvalidOutputFolderErrorQAndroidJniObject", "Will sort to identify malware", "https://hybrid-analysis.com/sample/9e7bfc9fb60aa3e3f3c5b91f84ebf8b07e35893e1491149420535cd494bb8a32/69b1b467625a11ce330587db" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "69b1f368db0d00947ef729c2", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4097, "domain": 849, "hostname": 2440, "FileHash-MD5": 149, "FileHash-SHA1": 131, "FileHash-SHA256": 955, "CIDR": 5, "email": 6, "SSLCertFingerprint": 8 }, "indicator_count": 8640, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698ef344417f9985660e698b", "name": "Pulse Data", "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.", "modified": "2026-03-28T07:23:23.210000", "created": "2026-02-13T09:47:48.788000", "tags": [ "imphash", "file type", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections tls", "zeppelin" ], "references": [ "", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access " ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 646, "FileHash-SHA1": 604, "FileHash-SHA256": 1373, "hostname": 1143, "domain": 1381, "URL": 2537, "CVE": 101, "email": 25, "SSLCertFingerprint": 9 }, "indicator_count": 7819, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "Tipped of new looming airline threats", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access ", "kadmos.bot \u2022 cutout.bot \u2022 scenebot.com", "Verification failure observed in automated verification handlers during sandbox replay.", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Yara Detections: MS_Visual_Basic_6_0", "https://airline.cmntgoyq.com/ | Prometheus Intelligence Technology", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "mailbox.co.za", "I need some help.", "https://www.justice.gov/opa/pr/departmen.t", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "spf.google.com", "git.spywarewatchdog.org", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/9e7bfc9fb60aa3e3f3c5b91f84ebf8b07e35893e1491149420535cd494bb8a32/69b1b467625a11ce330587db", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "https://apple.btprmjo.cc/", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "accenture.cn", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Uses code, no phone calls. Connected via instagram.", "test-ssa.pineapples.dev", "sso.dev.applemarketingtools.com", "quantum-staging.emsbk.com", "Foundry Palantir still has a presence in Colorado", "By remote view of NEW targeys view, all key calls are routed through him.", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "Connects to all NEW targets key contacts main targets contacts.", "Some Colorado communities have been taken over by the State Government", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "We have foot soldiers. Be aware", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "https://bombing.gwuzafo.cc/", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://www.lalal.ai/privacy-policy/InvalidOutputFolderErrorQAndroidJniObject", "Attacker being used by several legal entities attacking a target\u2019s family", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "https://api.manus.im/api/oauth2_callback/apple", "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "lalal.ai", "Email: d4@thinkman.com", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "mc.yandex.com \u2022 mc.yandex.ru \u2022 yandex.com \u2022 yandex.ru", "Accurately tipped about air travel safety. In past. Proven true.", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "ASN AS27064 dod network information center", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "delete-me.bgs.beanie.cloud", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "Foundry Foot Soldiers are still in Colorado targeting innocents", "fmx32.aig.com \u2022 167.230.105.81", "containers-oceanus.palantirsec.com", "Amazon.com", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "A man claiming to have the name Sebastian is communicating with targets love one", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "target.id \u2022 tostring.call \u2022 title.search", "Targets associated warned. Not very open to advice.", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "internationalfrontier.com", "mc.yandex.com/metrika/ \u2022 mc.yandex.com/watch/99885987/", "bridge-websocket-evolosciuc.devint01.goodleap.com", "marriott-datacenter-prd.accenture.cn", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "api-cookie.click", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "Alerts: console_output antivm_memory_available pe_features", "logstream-mystifying-tharp-7si72pw.cribl.cloud", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "AVDetections: Patched3_c.AKRV", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "Yara Detections: Armadillov171", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Luxury Apartments and Townhome communities do use Foundry Palantir", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "http://www.internationalfrontier.com", "Alerts: stealth_window packer_entropy uses_windows_utilities", "I would post his public information. It may be unwise.", "Will sort to identify malware", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "marriott-control-prd.accenture.cn", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "http://truefoundry.prodigaltech.com/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Heur/unsec", "Crypt3.bxmj", "Node traffic", "Trojan:win32/tiggre!rfn", "Inject2.bive", "Trojan.downloader12.43161", "Win32:trojan-gen", "Win.trojan.rootkit-4668", "Malware", "Trojandownloader:win32/umbald.a", "Backdoor:win32/tofsee.t", "Win32:agent-alxe\\ [rtk]", "Crypt3.chzw", "Et trojan", "Crypt3.bxvc", "Crypt3.bmvu", "Patched3_c.akrv", "Win32:malware-gen", "Crypt3.boqd\t\t inject2.bhbw" ], "industries": [ "Government", "Defense", "Military", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Insurance" ], "unique_indicators": 172947 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/location.search", "whois": "http://whois.domaintools.com/location.search", "domain": "location.search", "hostname": "13.location.search" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-04-19T08:11:41.130000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27678, "FileHash-SHA256": 47676, "FileHash-MD5": 42534, "FileHash-SHA1": 23213, "hostname": 33703, "URL": 75433, "SSLCertFingerprint": 30, "CVE": 7582, "email": 313, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "IPv4": 80, "URI": 5 }, "indicator_count": 284461, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b7241a63b7527ac2b04d60", "name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]", "description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]", "modified": "2026-04-14T18:06:37.524000", "created": "2026-03-15T21:26:50.218000", "tags": [ "man software", "destination", "port", "united", "delete", "read c", "virustotal", "patched3_c.akrv", "armadillov171", "dod", "thinkman", "win32", "trojan", "present mar", "backdoor", "urls", "files", "unknown", "search", "china as23724", "asnone", "artemis", "zeppelin", "drweb", "vipre", "panda", "malware", "suspicious", "cloud", "logic", "et trojan", "et info", "download", "windows", "embeddedwb", "shellexecuteexw", "msie", "windows nt", "writeconsolew", "displayname", "service", "ids detections", "yara detections", "crypt", "medium", "whitelisted", "passive dns", "worm", "mtb may", "mtb aug", "otx logo", "all ipv4", "pulse pulses", "dynamicloader", "yara rule", "ff d5", "high", "reg add", "regsz d", "write", "file type", "pexe", "pe32", "intel", "ms windows", "pe packer", "pm size", "pehash", "richhash", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "over", "sha256", "sha1", "ascii text", "size", "mitre att", "pattern match", "null", "span", "error", "body", "hybrid", "general", "local", "path", "click", "strings", "refresh", "tools", "title", "show technique", "look", "verify", "restart", "t1480 execution", "navy", "reputation", "adult content", "cyber warfare" ], "references": [ "AVDetections: Patched3_c.AKRV", "Yara Detections: Armadillov171", "Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http", "IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40", "Contacted Domains: tick.usno.navy.mil www.thinkman.com", "AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States", "AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States", "AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany", "AS15169 google llc | 8.8.8.8\t| dns.google | United States", "Email: d4@thinkman.com", "Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States", "ASN AS27064 dod network information center", "Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.", "Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.", "tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen", "TrojanDownloader:Win32/Umbald.A\tMalware infection", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc", "Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process", "Alerts: stealth_window packer_entropy uses_windows_utilities", "Alerts: console_output antivm_memory_available pe_features", "Yara Detections: MS_Visual_Basic_6_0", "Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun", "Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe", "Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process", "Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities", "Alerts: queries_user_name queries_keyboard_layout queries_locale_api", "Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types", "porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com", "http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/", "navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/", "https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous", "192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host", "444ea032708bb0d940de0ef72b944244 | credit msudosos", "Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244", "https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]", "https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf", "DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif", "https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )", "205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )", "https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0", "mailbox.co.za", "fmx32.aig.com \u2022 167.230.105.81", "https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Patched3_c.AKRV", "display_name": "Patched3_c.AKRV", "target": null }, { "id": "Win32:Agent-ALXE\\ [Rtk]", "display_name": "Win32:Agent-ALXE\\ [Rtk]", "target": null }, { "id": "Win.Trojan.Rootkit-4668", "display_name": "Win.Trojan.Rootkit-4668", "target": null }, { "id": "Trojan:Win32/Tiggre!rfn", "display_name": "Trojan:Win32/Tiggre!rfn", "target": "/malware/Trojan:Win32/Tiggre!rfn" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Crypt3.CHZW", "display_name": "Crypt3.CHZW", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Crypt3.BXMJ", "display_name": "Crypt3.BXMJ", "target": null }, { "id": "Crypt3.BOQD\t\t Inject2.BHBW", "display_name": "Crypt3.BOQD\t\t Inject2.BHBW", "target": null }, { "id": "Crypt3.BMVU", "display_name": "Crypt3.BMVU", "target": null }, { "id": "Trojan.DownLoader12.43161", "display_name": "Trojan.DownLoader12.43161", "target": null }, { "id": "HEUR/UnSec", "display_name": "HEUR/UnSec", "target": null }, { "id": "ET Trojan", "display_name": "ET Trojan", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "TrojanDownloader:Win32/Umbald.A", "display_name": "TrojanDownloader:Win32/Umbald.A", "target": "/malware/TrojanDownloader:Win32/Umbald.A" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Military", "Defense", "Insurance" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 165, "FileHash-SHA1": 165, "FileHash-SHA256": 3524, "URL": 11424, "email": 1, "hostname": 3954, "domain": 2523 }, "indicator_count": 21756, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b1f368db0d00947ef729c2", "name": "\u5403\u74dc\u770b\u9ed1\u6599\u5c31\u4e0a - \u9ed1\u6599\u5403\u74dc\u7f51 | \u70ed\u95e8\u4e8b\u4ef6\u7206\u6599\u4e0e\u771f\u76f8", "description": "Why is this type of malicious found on a US citizens device? Found in a link extracted from a glitching device.. Palantir\u2019s Prometheus Intelligence Technology tracking and AI at work.\n#tracker #http_redirect #onlyfans_? #bombing #airlines #lalal.ai #openclaw #targeted", "modified": "2026-04-10T22:04:28.607000", "created": "2026-03-11T22:57:44.584000", "tags": [ "\u9ed1\u6599", "\u5403\u74dc", "\u5403\u74dc\u7f51", "51\u5403\u74dc", "\u9ed1\u6599\u4e0d\u6253\u70ca", "\u9ed1\u6599\u5403\u74dc\u7f51", "\u70ed\u95e8\u5927\u74dc", "\u660e\u661f\u8d44\u8baf", "\u7f51\u7ea2\u9ed1\u6599", "\u5185\u6db5\u6bb5\u5b50", "\u4eca\u65e5\u5403\u74dc", "\u5403\u74dc\u65b0\u95fb", "\u9ed1\u6599\u66dd\u5149", "\u516b\u5366\u65b0\u95fb", "\u793e\u4f1a\u70ed\u70b9", "\u5403\u74dc\u7fa4\u4f17", "\u70ed\u70b9\u4e8b\u4ef6", "\u6bcf\u65e5\u5403\u74dc", "\u7f51\u7ea2\u5403\u74dc", "\u4eca\u65e5\u5927\u74dc", "\u5403\u74dc\u7206\u6599", "\u5403\u74dc\u4e2d\u5fc3", "\u4eca\u65e5\u70ed\u74dc", "\u5403\u74dc\u9ed1\u6599", "\u9ed1\u6599\u6cc4\u5bc6", "\u91cd\u78c5\u9ed1\u6599", "\u5403\u74dc\u6cc4\u5bc6", "\u4eca\u65e5\u9ed1\u6599", "\u6700\u65b0\u9ed1\u6599", "\u5403\u74dc\u66dd\u5149", "\u5403\u74dc\u8d44\u6e90", "\u91cd\u78c5\u5403\u74dc", "\u5a31\u4e50\u70ed\u74dc", "chrome", "cos ai", "a serif", "sans serif", "top10", "openclaw", "21200", "onlyfans", "strong", "dmca copyright", "address google", "safe browsing", "data upload", "extraction", "lte all", "enter sc", "type o", "extra", "referen https", "lte o", "type", "extr data", "include review", "exclude sugges", "failed", "hong kong", "passive dns", "otx logo", "all ipv4", "url analysis", "urls", "files", "location hong", "value", "march", "0x1595 function", "0x19b5 object", "tracker", "base64 object", "cookie function", "mlog", "localconst", "style function", "reverse dns", "general full", "url https", "resource", "software", "hash", "security tls", "singapore", "asn139341", "aceasap ace", "ip address", "cloudflare", "report", "whois", "as13335", "name lookup", "website", "kong", "ssl certificate", "http", "request chain", "nl redirected", "http redirect", "kb script", "protocol h3", "security quic", "seychelles", "asn13335", "cloudflarenet", "js function", "portable descr", "internet", "iana", "iana web", "stepgo limited", "assigned pa", "afrinic", "filtered parent", "ebene", "mahe", "stepgo", "united", "unknown ns", "script script", "moved", "record value", "title", "0 lte", "find s", "size", "mitre att", "ck id", "ck matrix", "root", "hybrid", "general", "path", "click", "strings", "yrbyd", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "initial access", "lalal.ai", "record type", "ttl value", "thumbprint", "ios ping", "defense evasion", "id name", "malicious", "t1055.015 list planting", "sha1", "copy md5", "sha256", "pattern match", "show technique", "unknown", "accept", "date", "local", "starfield", "encrypt", "iframe", "prometheus intelligence technology", "apple", "cyber attacks", "usptracker.com", "android" ], "references": [ "https://airline.cmntgoyq.com/ | Prometheus Intelligence Technology", "lalal.ai", "logstream-mystifying-tharp-7si72pw.cribl.cloud", "quantum-staging.emsbk.com", "spf.google.com", "Amazon.com", "mc.yandex.com \u2022 mc.yandex.ru \u2022 yandex.com \u2022 yandex.ru", "mc.yandex.com/metrika/ \u2022 mc.yandex.com/watch/99885987/", "api-cookie.click", "delete-me.bgs.beanie.cloud", "bridge-websocket-evolosciuc.devint01.goodleap.com", "https://bombing.gwuzafo.cc/", "test-ssa.pineapples.dev", "sso.dev.applemarketingtools.com", "containers-oceanus.palantirsec.com", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "kadmos.bot \u2022 cutout.bot \u2022 scenebot.com", "https://www.lalal.ai/privacy-policy/InvalidOutputFolderErrorQAndroidJniObject", "Will sort to identify malware", "https://hybrid-analysis.com/sample/9e7bfc9fb60aa3e3f3c5b91f84ebf8b07e35893e1491149420535cd494bb8a32/69b1b467625a11ce330587db" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4097, "domain": 849, "hostname": 2440, "FileHash-MD5": 149, "FileHash-SHA1": 131, "FileHash-SHA256": 955, "CIDR": 5, "email": 6, "SSLCertFingerprint": 8 }, "indicator_count": 8640, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b235439d56630943ea31e6", "name": "Clone by Q Vashti (excellent systemic analyzer I may add)", "description": "", "modified": "2026-04-10T22:04:28.607000", "created": "2026-03-12T03:38:43.171000", "tags": [ "\u9ed1\u6599", "\u5403\u74dc", "\u5403\u74dc\u7f51", "51\u5403\u74dc", "\u9ed1\u6599\u4e0d\u6253\u70ca", "\u9ed1\u6599\u5403\u74dc\u7f51", "\u70ed\u95e8\u5927\u74dc", "\u660e\u661f\u8d44\u8baf", "\u7f51\u7ea2\u9ed1\u6599", "\u5185\u6db5\u6bb5\u5b50", "\u4eca\u65e5\u5403\u74dc", "\u5403\u74dc\u65b0\u95fb", "\u9ed1\u6599\u66dd\u5149", "\u516b\u5366\u65b0\u95fb", "\u793e\u4f1a\u70ed\u70b9", "\u5403\u74dc\u7fa4\u4f17", "\u70ed\u70b9\u4e8b\u4ef6", "\u6bcf\u65e5\u5403\u74dc", "\u7f51\u7ea2\u5403\u74dc", "\u4eca\u65e5\u5927\u74dc", "\u5403\u74dc\u7206\u6599", "\u5403\u74dc\u4e2d\u5fc3", "\u4eca\u65e5\u70ed\u74dc", "\u5403\u74dc\u9ed1\u6599", "\u9ed1\u6599\u6cc4\u5bc6", "\u91cd\u78c5\u9ed1\u6599", "\u5403\u74dc\u6cc4\u5bc6", "\u4eca\u65e5\u9ed1\u6599", "\u6700\u65b0\u9ed1\u6599", "\u5403\u74dc\u66dd\u5149", "\u5403\u74dc\u8d44\u6e90", "\u91cd\u78c5\u5403\u74dc", "\u5a31\u4e50\u70ed\u74dc", "chrome", "cos ai", "a serif", "sans serif", "top10", "openclaw", "21200", "onlyfans", "strong", "dmca copyright", "address google", "safe browsing", "data upload", "extraction", "lte all", "enter sc", "type o", "extra", "referen https", "lte o", "type", "extr data", "include review", "exclude sugges", "failed", "hong kong", "passive dns", "otx logo", "all ipv4", "url analysis", "urls", "files", "location hong", "value", "march", "0x1595 function", "0x19b5 object", "tracker", "base64 object", "cookie function", "mlog", "localconst", "style function", "reverse dns", "general full", "url https", "resource", "software", "hash", "security tls", "singapore", "asn139341", "aceasap ace", "ip address", "cloudflare", "report", "whois", "as13335", "name lookup", "website", "kong", "ssl certificate", "http", "request chain", "nl redirected", "http redirect", "kb script", "protocol h3", "security quic", "seychelles", "asn13335", "cloudflarenet", "js function", "portable descr", "internet", "iana", "iana web", "stepgo limited", "assigned pa", "afrinic", "filtered parent", "ebene", "mahe", "stepgo", "united", "unknown ns", "script script", "moved", "record value", "title", "0 lte", "find s", "size", "mitre att", "ck id", "ck matrix", "root", "hybrid", "general", "path", "click", "strings", "yrbyd", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "initial access", "lalal.ai", "record type", "ttl value", "thumbprint", "ios ping", "defense evasion", "id name", "malicious", "t1055.015 list planting", "sha1", "copy md5", "sha256", "pattern match", "show technique", "unknown", "accept", "date", "local", "starfield", "encrypt", "iframe", "prometheus intelligence technology", "apple", "cyber attacks", "usptracker.com", "android" ], "references": [ "https://airline.cmntgoyq.com/ | Prometheus Intelligence Technology", "lalal.ai", "logstream-mystifying-tharp-7si72pw.cribl.cloud", "quantum-staging.emsbk.com", "spf.google.com", "Amazon.com", "mc.yandex.com \u2022 mc.yandex.ru \u2022 yandex.com \u2022 yandex.ru", "mc.yandex.com/metrika/ \u2022 mc.yandex.com/watch/99885987/", "api-cookie.click", "delete-me.bgs.beanie.cloud", "bridge-websocket-evolosciuc.devint01.goodleap.com", "https://bombing.gwuzafo.cc/", "test-ssa.pineapples.dev", "sso.dev.applemarketingtools.com", "containers-oceanus.palantirsec.com", "https://otx.alienvault.com/pulse/69af3fd8db2ede31abda6c14", "kadmos.bot \u2022 cutout.bot \u2022 scenebot.com", "https://www.lalal.ai/privacy-policy/InvalidOutputFolderErrorQAndroidJniObject", "Will sort to identify malware", "https://hybrid-analysis.com/sample/9e7bfc9fb60aa3e3f3c5b91f84ebf8b07e35893e1491149420535cd494bb8a32/69b1b467625a11ce330587db" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Malware", "display_name": "Malware", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" } ], "industries": [], "TLP": "white", "cloned_from": "69b1f368db0d00947ef729c2", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4097, "domain": 849, "hostname": 2440, "FileHash-MD5": 149, "FileHash-SHA1": 131, "FileHash-SHA256": 955, "CIDR": 5, "email": 6, "SSLCertFingerprint": 8 }, "indicator_count": 8640, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a2127d12dce12538b57d72", "name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets", "description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]", "modified": "2026-03-29T20:03:36.333000", "created": "2026-02-27T21:54:05.261000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5643, "domain": 700, "hostname": 1918, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9873, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aa019f4509897e354fe029", "name": "credit Q Vashti Cloned Pulse ", "description": "", "modified": "2026-03-29T20:03:36.333000", "created": "2026-03-05T22:20:15.324000", "tags": [ "pattern match", "heuristic match", "all url", "files domain", "pulses otx", "germany unknown", "aaaa", "ip address", "emails", "gmt server", "vary", "modified", "accept", "title", "present feb", "present jan", "united", "part", "moved", "passive dns", "cname", "final", "bill", "antivm", "xlsx", "xlsm", "urls", "otx logo", "all hostname", "server", "organization", "city", "stateprovince", "postal code", "phone", "registrar abuse", "privacy admin", "paris admin", "april", "direct", "february", "http", "dfn verein", "zur foerderung", "domain", "page url", "tags", "de summary", "erlangen", "germany", "securitytrails", "de seen", "general info", "geo erlangen", "as as680", "de note", "route", "data upload", "extraction", "failed", "extra data", "referen", "include review", "exclude data", "summary", "url age", "as680", "se source", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "over", "ascii text", "mitre att", "size", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "node traffic", "tlsv1", "search", "rgba", "medium", "read c", "module load", "t1129", "execution", "next", "dock", "write", "persistence", "calls", "apis", "reads", "model", "value", "getprocaddress", "show technique", "ck matrix", "access type", "windir", "regexp", "open", "date", "format", "virtual disk drive", "sha256", "sha1", "body", "filehashsha1", "found", "unknown", "stop", "root", "form", "9999", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "bad traffic", "et info", "tls handshake", "failure", "flag", "analysis tip", "openurl c", "msie", "windows nt", "wow64", "slcc2", "media center", "show", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious yara", "detections none", "less ip", "dynamicloader", "get na", "c3bhaw", "high", "copy", "guard", "push", "Palantir", "Foundry", "Whitehouse", "X.Com", "Justice.gov", "Apple", "AI", "node traffic" ], "references": [ "tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net", "https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022", "http://truefoundry.prodigaltech.com/", "git.spywarewatchdog.org", "marriott-control-prd.accenture.cn", "marriott-datacenter-prd.accenture.cn", "accenture.cn", "c.j.location.host \u2022 videodata.video \u2022 referrer.search", "target.id \u2022 tostring.call \u2022 title.search", "https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737", "https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70", "calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019", "http://truefoundry.prodigaltech.com/", "Attacker being used by several legal entities attacking a target\u2019s family", "Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render", "Luxury Apartments and Townhome communities do use Foundry Palantir", "Some Colorado communities have been taken over by the State Government", "Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)", "Denver Justice System. Palantir allegedly moved potato Headquarters to Miami", "Foundry Foot Soldiers are still in Colorado targeting innocents", "Foundry Palantir still has a presence in Colorado", "I need some help.", "Accurately tipped about air travel safety. In past. Proven true.", "Tipped of new looming airline threats", "Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.", "Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.", "FBI files opened up on a targeted phone, Iunseel, only in search history.", "Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /", "No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!", "Hours after files were deemed malicious. We powered on targeted Smart TV", "You have to go through a series of steps to change themes and wallpapers , including powering off TV", "Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .", "A man claiming to have the name Sebastian is communicating with targets love one", "Uses code, no phone calls. Connected via instagram.", "I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious", "By remote view of NEW targeys view, all key calls are routed through him.", "Targets associated warned. Not very open to advice.", "I would post his public information. It may be unwise.", "Connects to all NEW targets key contacts main targets contacts.", "We have foot soldiers. Be aware", "https://www.justice.gov/opa/pr/departmen.t", "https://api.manus.im/api/oauth2_callback/apple", "https://apple.btprmjo.cc/", "https://creative.miqdigital.com/.well-known/apple-app-site-association", "internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf", "http://www.internationalfrontier.com", "http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf", "https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~", "Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Node Traffic", "display_name": "Node Traffic", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1055.011", "name": "Extra Window Memory Injection", "display_name": "T1055.011 - Extra Window Memory Injection" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.004", "name": "Asynchronous Procedure Call", "display_name": "T1055.004 - Asynchronous Procedure Call" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1055.014", "name": "VDSO Hijacking", "display_name": "T1055.014 - VDSO Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "69a2127d12dce12538b57d72", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5644, "domain": 701, "hostname": 1920, "FileHash-SHA256": 1161, "FileHash-MD5": 235, "email": 4, "FileHash-SHA1": 200, "CVE": 1, "CIDR": 2, "SSLCertFingerprint": 9 }, "indicator_count": 9877, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698ef344417f9985660e698b", "name": "Pulse Data", "description": "A complete summary of all the key points in the analysis of the W32.virus, compiled by the University of California, Los Angeles, at the end of May, 2014, and published online.", "modified": "2026-03-28T07:23:23.210000", "created": "2026-02-13T09:47:48.788000", "tags": [ "imphash", "file type", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections tls", "zeppelin" ], "references": [ "", "4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access " ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 646, "FileHash-SHA1": 604, "FileHash-SHA256": 1373, "hostname": 1143, "domain": 1381, "URL": 2537, "CVE": 101, "email": 25, "SSLCertFingerprint": 9 }, "indicator_count": 7819, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://13.location.search", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://13.location.search", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776712257.0242379 }