{ "type": "URL", "indicator": "https://1362.awsdns-42.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://1362.awsdns-42.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3724077300, "indicator": "https://1362.awsdns-42.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6773128b197198508ca38129", "name": "norton extra", "description": "", "modified": "2025-05-28T16:34:24.019000", "created": "2024-12-30T21:37:15.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3079, "hostname": 5287, "URL": 17154, "FileHash-SHA256": 763 }, "indicator_count": 26283, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809eabd76cbbfdfc07c6e", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:18.174000", "created": "2024-01-29T20:26:18.174000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f69115e6b1bdc8a7dcdbc", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:05.056000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6919cafcba3ac406d5b2", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:13.375000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6920d79aa646c2d5db49", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:20.787000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6b136775cbf67d25ddfb", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] Alias Brian Sabey?", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:41:39.434000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657feca7df9ea6c21350c01a", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] ", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-18T06:54:31.063000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f6b136775cbf67d25ddfb", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6581d8d30621e6303cad9da4", "name": "RallyPoint.com", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-19T17:54:27.416000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64ab412e96e4858e508978c7", "name": "rogers", "description": "", "modified": "2023-09-07T00:03:31.457000", "created": "2023-07-09T23:22:22.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1132, "hostname": 1682, "URL": 520, "CVE": 94, "email": 87, "FileHash-SHA256": 3120, "FileHash-MD5": 608, "FileHash-SHA1": 605 }, "indicator_count": 7848, "is_author": false, "is_subscribing": null, "subscriber_count": 87, "modified_text": "956 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "search.roi.ros.gov.uk", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Other malware", "Alf:heraklezeval:trojan:win32/clipbanker", "Pegasus" ], "industries": [], "unique_indicators": 78887 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/awsdns-42.org", "whois": "http://whois.domaintools.com/awsdns-42.org", "domain": "awsdns-42.org", "hostname": "1362.awsdns-42.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "696ac416596cd89cf76bce55", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:04:53.997000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac4327b5bc2e8be34f78a", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:22.323000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "696ac438a696c993b672106d", "name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE", "description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]", "modified": "2026-02-15T22:03:06.041000", "created": "2026-01-16T23:05:28.261000", "tags": [ "united", "win32", "urls", "twitter", "trojan", "united states", "dynamicloader", "default", "delete c", "json", "ascii text", "high", "data", "write c", "stream", "write", "malware", "dirty", "servers", "unknown aaaa", "Crazy Frost", "create c", "port", "destination", "unknown", "encrypt", "passive dns", "Verizon", "Twitter", "url analysis", "url add", "http", "files related", "related tags", "Project Cicada", "present nov", "present dec", "present sep", "present jul", "present jun", "or icon", "gold w", "dots larger", "background", "pegasus", "meta", "backdoor", "ransom", "checkin", "trojandropper", "mtb nov", "ipv4", "data upload", "extraction", "ottow", "Christopher Ahmann", "Pegasus", "url https", "hostname", "files domain", "present jan", "moved", "ip address", "record value", "apache", "paris", "followupboss", "type", "hostname add", "next associated", "title error", "reverse dns", "windows nt", "wow64", "khtml", "gecko", "connect", "head", "tlsv1", "accept", "date", "powershell", "iframe", "span", "push", "next", "shark", "Connection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "mitre att", "ck techniques", "pattern match", "size", "null", "refresh", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "look", "verify", "restart", "Denver, Co 80211", "body", "title", "One Reach AI" ], "references": [ "https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0", "pegasuspartners.followupboss.com", "Project Cicada: verizon.pr1414.my.nonprod-asurion53.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8", "Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net", "search.roi.ros.gov.uk", "ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info", "Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai", "Denver, US 80211 http://library.verizon.onereach.ai", "https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/", "https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11078, "hostname": 4331, "domain": 1932, "FileHash-SHA256": 1999, "FileHash-MD5": 357, "FileHash-SHA1": 169, "email": 5, "SSLCertFingerprint": 6, "CVE": 1 }, "indicator_count": 19878, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6773128b197198508ca38129", "name": "norton extra", "description": "", "modified": "2025-05-28T16:34:24.019000", "created": "2024-12-30T21:37:15.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3079, "hostname": 5287, "URL": 17154, "FileHash-SHA256": 763 }, "indicator_count": 26283, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809ec9da9326e1bdf8743", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:20.769000", "created": "2024-01-29T20:26:20.769000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65b809eabd76cbbfdfc07c6e", "name": "Pegasus | Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com]", "description": "", "modified": "2024-01-29T20:26:18.174000", "created": "2024-01-29T20:26:18.174000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657feca7df9ea6c21350c01a", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "811 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f69115e6b1bdc8a7dcdbc", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:05.056000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6919cafcba3ac406d5b2", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:13.375000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6920d79aa646c2d5db49", "name": "RallyPoint.com", "description": "MyPublicWiFi.exe\nRallyPoint.com", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:33:20.787000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657f6b136775cbf67d25ddfb", "name": "Lazarus Group [Hallrender.com = safebae.oeg + rallypoint.com] Alias Brian Sabey?", "description": "", "modified": "2024-01-16T18:00:08.947000", "created": "2023-12-17T21:41:39.434000", "tags": [ "united", "unknown", "as13335", "search", "showing", "aaaa", "emails", "name servers", "servers", "as54113", "body", "date", "as15169 google", "cname", "as393648", "moved", "creation date", "record value", "entries", "domain related", "domains show", "asn15169", "google", "frankfurt", "main", "germany", "http", "ashburn", "amazonaes", "asn16509", "facebook", "june", "general full", "url https", "reverse dns", "protocol h2", "security tls", "get h2", "software", "resource", "hash", "value", "search live", "api blog", "docs pricing", "login", "december", "variables", "paq object", "piwik", "matomo", "article", "join url", "facebook url", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "ip detail", "domains domain", "tree links", "certs frames", "cisco umbrella", "site", "alexa top", "safe site", "malware", "heur", "malware site", "malicious site", "million", "phishing site", "phishing", "unsafe", "applicunwnt", "artemis", "riskware", "revenue service", "iframe", "downldr", "agent", "presenoker", "vidar", "alexa", "ssl certificate", "whois record", "historical ssl", "urls http", "njrat", "ransomware", "communicating", "referrer", "whois whois", "hostname", "hostnames", "ip address", "javascript", "detections type", "name", "win32 exe", "email holokaust", "android", "files", "android file", "domains", "hashes", "westlaw njrat", "whois", "collections", "contacted", "pe resource", "threat roundup", "january", "collection", "august", "lolkek", "installer", "hacktool", "emotet", "lazarus", "makop", "core" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "657f69115e6b1bdc8a7dcdbc", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 97, "URL": 15233, "domain": 3362, "email": 14, "hostname": 5001, "FileHash-SHA256": 2750, "CVE": 5 }, "indicator_count": 26611, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "824 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://1362.awsdns-42.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://1362.awsdns-42.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776704232.72705 }