{ "type": "URL", "indicator": "https://36ads.joewa.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://36ads.joewa.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3893187953, "indicator": "https://36ads.joewa.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f3a54e7db6a02a7bb25c9", "name": "Bank of America - Gafgyt \u2022 TrojanSpy \u2022 South African Service Center (BotNet)", "description": "Bank of America South African Service Center BotNet - IoT botnet Gafgyt targets popular routers through RCE vulnerabilities, also known as BASHLITE, discovered in 2014. It is a Linux-based Mirai related IoT botnet \u2022\n 197.221.2.3 - www.readersareleaders.co.za\twww.readersareleaders.co.za\t[South Africa] AS37153 african network information center\nThis is the call center affecting multiple entities, targeting involved. Affects AllState [Esurance = NGIC? ] BoFa \u2022 T-mobile | MetroBy T\u2022 Mobile \u2022 .\nWhy is Bank of America so sketchy? \n[remote.dekro.co.za]", "modified": "2025-09-02T09:02:13.372000", "created": "2025-08-03T10:30:43.521000", "tags": [ "dynamicloader", "medium", "write c", "entries", "show", "search", "http traffic", "utf8", "crlf line", "post", "trojanspy", "copy", "powershell", "write", "delphi", "win32", "next", "graphics", "gaz company", "turbo exe", "company turbo", "code", "malware", "dcom", "execution", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "defense evasion", "south africa", "td tr", "unknown a", "td td", "tbody", "tr tr", "passive dns", "ddos", "next associated", "body", "click", "unknown soa", "unknown cname", "location south", "africa asn", "as37153", "pulses none", "related tags", "none indicator", "facts", "asn as37153", "associated urls", "date checked", "url hostname", "server response", "ip address", "mtb oct", "date", "united", "urls", "ov ssl", "record value", "object", "pulse", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "show technique", "ck matrix", "pattern match", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "strings", "tools", "look", "verify", "restart", "t1480 execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 732, "domain": 175, "hostname": 470, "FileHash-SHA256": 346, "FileHash-MD5": 141, "FileHash-SHA1": 132, "email": 1 }, "indicator_count": 1997, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688e31b80edd775fe5d2f34f", "name": "Social Engineering led to -#Lowfi:HSTR:Win32/iWin.B", "description": "Likely: Phone referral led to an in person meeting, financial transaction, telephone numbers exchange, website click, in home service call. The alternative is compromised target was redirected to malicious host or service provider became compromised by targeted persons issue.\nThere are several targeted people. This person is closely associated with a target.(idk -malicious)\nMitre: T1055.015\tListPlanting\t\nDefense Evasion\nPrivilege Escalation\nAdversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:41:44.319000", "tags": [ "united", "search", "moved", "ip address", "creation date", "record value", "date", "gmt server", "gmt content", "certificate", "apache", "encrypt", "gmt path", "set cookie", "httponly", "passive dns", "urls", "address", "meta", "dynamicloader", "write c", "medium", "tlsv1", "show", "entries", "high", "http", "copy", "upatre", "write", "unknown", "asn15169", "google", "asn46606", "unifiedlayeras1", "frankfurt", "main", "germany", "google safe", "browsing", "script urls", "a domains", "libs", "monstroid2", "link", "accept encoding", "script domains", "title", "vary", "jquery", "pulse pulses", "hostname xn", "files domain", "showing", "next associated", "urls show", "date checked", "url hostname", "server response", "present jul", "for privacy", "roboto", "delete", "trojan", "globalc", "mozilla", "guard", "malware", "iwin", "local", "lowfi", "helper", "nsisdl", "executable", "amazon s3", "pe exe", "dll windows", "http yara", "alerts", "meta http", "content", "pragma", "content type", "body", "service", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "windows nt", "mitre att", "ascii text", "show technique", "path", "span", "click", "august", "hybrid", "general", "strings", "footer", "ck matrix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 460, "hostname": 744, "URL": 3496, "email": 4, "domain": 394, "FileHash-SHA256": 2072, "FileHash-MD5": 464, "SSLCertFingerprint": 7 }, "indicator_count": 7641, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687b5499d48de6e54f3bff11", "name": "213.174.130.70 - Spyware Install | Emotet via Malware sites", "description": "Malicious IP address for multiple malware domains. Very malicious spyware, will hijack network and devices. \n\u2022 Best Targeted sites \nSpyware Install\n\u2022 Garveep POST CnC\nBeacon\n\u2022 Worm.Mydoom\nCheckin\n\n#endgame #emotet #mydoom #malware_domains #install_spyware #monitered_targets", "modified": "2025-08-18T08:00:43.712000", "created": "2025-07-19T08:17:29.443000", "tags": [ "handle", "ripe ncc", "ripe network", "address range", "cidr", "allocation type", "assigned pa", "status", "whois server", "entity ah36ripe", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cgb stgreater", "cnsectigo rsa", "secure server", "ca validity", "date", "abuse contact", "orgid", "orgtechhandle", "address", "orgabuseref", "postalcode", "ripe", "seen", "update date", "tech email", "admin country", "expiration date", "dnssec", "admin id", "mi11255597wp", "msie", "chrome", "passive dns", "united", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "hosting", "open", "body", "extraction", "data upload", "failed", "include review", "anorexx", "video", "father sex", "ebony riding", "ebony", "roberta", "type win32", "exe size", "mb first", "file name", "sentinelone", "present jul", "present oct", "entries http", "memcommit", "t1055", "read c", "search", "entries", "show", "medium", "showing", "high process", "injection t1055", "copy", "write", "win32", "malware", "tsara brashears", "tsara", "pornhub", "porn videos", "watch tsara", "most relevant", "open threat", "exchange", "public", "https", "green", "daily", "brashears", "porn", "watch", "busty xxx", "filter tsara", "brashears porn", "url add", "pulse pulses", "http", "related pulses", "none related", "tags none", "file type", "md5 sha256", "google safe", "browsing", "dynamicloader", "dynamic", "read", "delete", "mtb apr", "trojan", "lowfi", "virtool", "icloader apr", "otx telemetry", "australia", "exploit", "cobalt strike", "hostile", "trojanspy", "msil", "win64", "pulse", "alerts", "yara rule", "named pipe", "xe7xf3xf2x14x9d", "high", "delphi", "local", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "defense evasion", "adversaries", "spawns", "found", "process details", "flag", "contacted", "meta", "location united", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "size", "beginstring", "null", "type data", "error", "span", "hybrid", "general", "click", "strings", "refresh", "tools", "pattern match", "show technique", "mitre att", "ck matrix", "ascii text", "show process", "utf8", "crlf line", "network traffic", "path", "included", "review", "excludea", "sugges data", "typ url", "url url", "url hos", "hos hos", "extraction f", "enter so", "u extractio", "extra data", "included review", "ic excluded", "suggeste", "pulses", "md5 google", "safe browsing", "virustotal api", "comments", "ally s", "extraction data", "enter soudcfidi", "ad temdac", "cddad ad", "praw type", "extr", "include u", "creation date", "record value", "gmt content", "x adblock", "certificate", "domain", "encrypt", "sec ch", "ch ua", "unknown aaaa", "ua full", "ua platform", "present jun", "moved", "ip address", "doctype html", "lander script", "head", "method", "allowed date", "arizona", "scottsdale", "go daddy", "authority", "next associated", "extraction fail", "enter soupce", "udi ad", "trydda dada", "panca type", "ur extraction", "s data", "pr extract", "servers", "hostname", "files ip", "denmark unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 4, "URL": 7528, "domain": 1822, "hostname": 2015, "email": 5, "FileHash-MD5": 373, "FileHash-SHA1": 363, "FileHash-SHA256": 1939 }, "indicator_count": 14049, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67035385a884405e783f9a7e", "name": "Mirai_Botnet_Malware | Healthcare \u00bb savethemalesdenver.com |", "description": "Impacting multiple Colorado medical facilities and educational institutions and patients. || Malware Families\nBackdoor:Linux/Mirai.B\nELF:Mirai-BZ\\ [Trj]\nMirai\nMirai_Botnet_Malware\nTrojan:Win32/Zombie.A\nTrojanClicker:Win32/Frosparf\nTrojanDownloader:Win32/Fosniw\nUnix.Trojan.Mirai-6976991-0\nAd", "modified": "2024-11-06T01:02:24.390000", "created": "2024-10-07T03:20:37.224000", "tags": [ "canada unknown", "redacted for", "as25825", "all scoreblue", "passive dns", "ipv4", "reverse dns", "next", "for privacy", "cname", "united states", "nxdomain", "ns nxdomain", "united", "as21928", "south korea", "as9318 sk", "taiwan as3462", "as701 verizon", "search", "maxage apt", "minage apt", "maxsize apt", "malware", "as44273 host", "creation date", "status", "showing", "record value", "certificate", "date", "urls", "overview ip", "address", "related nids", "files location", "flag united", "domain", "files related", "intel", "ms windows", "users", "pe32", "number", "ascii text", "crlf line", "database", "english", "tue jun", "installer", "template", "trojan", "write", "registrar", "pulse submit", "url analysis", "files", "msie", "chrome", "rdds service", "record", "registrant", "admin", "tech contact", "name servers", "email please", "moved", "trojanproxy", "virtool", "as1221", "aaaa", "asnone united", "show", "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "script urls", "gmt path", "fedora", "open ports", "nginx http", "server", "a domains", "gmt content", "set cookie", "gmt etag", "accept", "expiration date", "backdoor", "mirai", "scan endpoints", "all search", "otx scoreblue", "hostname", "verdict", "unknown", "new pulse", "loveland", "america asn", "Generic36.ABKD", "domains", "location canada", "as32133", "files ip", "address domain", "path max", "age86400 set", "cookie", "type", "entries", "script domains", "downloader", "body", "servers", "emails", "gmt max", "title", "meta", "as20940", "as16625 akamai", "west domains", "as4230 claro", "copy", "sabey", "contacted" ], "references": [ "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "Domains Contacted: ntp.ubuntu.com", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Taiwan", "Philippines", "India", "Italy", "Germany", "Netherlands" ], "malware_families": [ { "id": "ELF:Mirai-BZ\\ [Trj]", "display_name": "ELF:Mirai-BZ\\ [Trj]", "target": null }, { "id": "Mirai_Botnet_Malware", "display_name": "Mirai_Botnet_Malware", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Unix.Trojan.Mirai-6976991-0", "display_name": "Unix.Trojan.Mirai-6976991-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Backdoor:Linux/Mirai.B", "display_name": "Backdoor:Linux/Mirai.B", "target": "/malware/Backdoor:Linux/Mirai.B" }, { "id": "TrojanDownloader:Win32/Fosniw", "display_name": "TrojanDownloader:Win32/Fosniw", "target": "/malware/TrojanDownloader:Win32/Fosniw" }, { "id": "TrojanClicker:Win32/Frosparf", "display_name": "TrojanClicker:Win32/Frosparf", "target": "/malware/TrojanClicker:Win32/Frosparf" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Legal", "Healthcare", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1230, "email": 16, "hostname": 1560, "URL": 3400, "FileHash-SHA256": 1064, "FileHash-MD5": 544, "FileHash-SHA1": 496, "CVE": 1 }, "indicator_count": 8311, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6f2cd37f508d362c2db", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "", "modified": "2024-07-01T00:23:14.084000", "created": "2024-07-01T00:23:14.084000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": "664fceb9e0acfc0baee851c2", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "657 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664fceb9e0acfc0baee851c2", "name": "PegaSystems | Apple iOS iPad | Malicious | Tracking", "description": "Tags, findings of this report is auto generated by Level Blue OTX.AlienVault.\nPer my research: \nMalicious Score: 10/10\nAlerts: Alerts\nransomware_file_modifications, script_created_process, stealth_network, infostealer_cookies, suspicious_command_tools,\ndynamic_function_loading, reads_self,\nstealth_window, cmdline_http_link, uses_windows_utilities, antidebug_setunhandledexceptionfilter, cmdline_terminate, stealth_timeout,\n\nAffected Device: Apples iOS Ipad, Update 17.5.1\npegasystems.voicestorm.com -Cisco Umbrella {permanently moved as of 5.23.2024} found in Apple link - http://apps.apple.com/app/, nsis, downloaders,injection, data local, remotewd devices, tracking,", "modified": "2024-06-22T23:05:37.577000", "created": "2024-05-23T23:18:17.563000", "tags": [ "united", "passive dns", "as14449", "moved", "urls", "authority", "body", "object", "certificate", "scan endpoints", "unknown", "date", "as11377", "as16552 tiggee", "as174 cogent", "ireland unknown", "cname", "as11404 wave", "all scoreblue", "pulse pulses", "entries", "ipv4", "pulse submit", "url analysis", "dynamicloader", "port", "destination", "high", "medium", "windows", "cmd c", "default", "document file", "v2 document", "write", "copy", "name verdict", "falcon sandbox", "sha1", "sha256", "misc attack", "mitre att", "et tor", "known tor", "relayrouter", "exit", "node traffic", "ascii text", "hybrid", "starfield", "click", "strings", "core", "contact", "as396982 google", "historical ssl", "referrer", "co20230203", "malware", "discord", "credential", "lunar client", "trendmicro av", "neural netw", "upscayl", "steam game", "server", "domain status", "registrar abuse", "google", "community", "record type", "ttl value", "data", "v3 serial", "number" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "URL": 3584, "domain": 836, "hostname": 1749, "FileHash-SHA256": 726, "FileHash-MD5": 88, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 7068, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "https://mtl-plomberie.fr/2536532-\u1200\u1260\u123b-video-xxx.html", "device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com", "ssa-gov.authorizeddns", "api.optimizer.insitemaxdev.gov2x.com", "https://mtl-plomberie.fr/1210582-sperm-release-can-pictures-that-naija.html", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "https://kayleighvandalen.nl/8455490-up-hot-bottoms-xxxonxxx-pics-galleries.html", "198.49.6.6 \u00bb Loveland, United States of America ASN AS25825 poudre valley health care inc.", "Alerts: cape_detected_threat https_ urls", "Malware Hosting: 13.107.226.70", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "supply.qld.gov.au", "https://floorgoddijn.nl/3798393-dad-dont-my-image-hole-fuck-ass.html", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "FileHash-SHA256 cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4", "cpe-1-159-170-17.wb05.wa.asp.telstra.net", "Domains Contacted: ntp.ubuntu.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "Sprouts Farmers Market", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "Scanning Host: 13.107.246.70", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "bestofus.org Location: United States of America ASN AS18693 university of colorado hospital", "Yara Detections: Mirai_Botnet_Malware Alerts: dead_host network_icmp nolookup_communication", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "rmhumanservices.org", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "ELF:Mirai-BZ\\ [Trj] cc0f195fe54b9981b1ea3815e44b85a0fb3571be732bd5b4034f57690436f4c4 | Australia ASN AS1221 telstra corporation", "IP\u2019s Contacted: 1.0.128.143 1.10.54.226 1.107.217.150 1.112.34.224 1.114.165.87 1.116.76.208 1.118.37.88 1.121.139.226 1.122.96.75 1.114.207.168", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Backdoor:Linux/Mirai.B FileHash-SHA1 5df4c3322a68750c6b0c931e8ebebaa60c0a0555", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "Yara Detections: Nrv2x , upx_3 , UPX_OEP_place , UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser ,", "https://hypnosen.fr/4306769-women-xxvideos-matured-village-african-scene-wapdam.html", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "ConventionEngine_Anomaly_MultiPDB_Double", "Domains Contacted: drive.usercontent.google.com", "chinaeast2.admin.api.powerautomate.cn", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "acc.lehigtapp.com - malware", "ELF:Mirai-BZ\\ [Trj] \u00bb device-290db215-637a-441f-b5f4-81bf8bd75ae5.remotewd.com | 1.159.170.17 | Perth, Australia ASN AS1221 telstra corporation", "1.organization.api.powerplatform.partner.microsoftonline.cn", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "http://wonporn.com/top/Pakistani_Sucking", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "okta-dev.gov2x.com", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "https://kb.drakesoftware.com/Site/Browse/15183/State", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "Multiple other undocumented malware", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "savethemalesdenver.com \u00bb https://www.uchealthcares.org | myuchealth.net | 168.200.5.63 | http://ITSupport.uchealth.org", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "Yara Detections: Mirai_Botnet_Malware , MAL_ELF_LNX_Mirai_Oct10_2 , SUSP_XORed_Mozilla , is__elf", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "freedns.afraid.org", "https://maisonduweb3.fr/6014324-porn-you-ebony-pics-black-xxx.html", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "verify.gov.tl", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "South Africa based: remote.advisoroffice.com", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "Pegasus | A targets devices are obviously infiltrated", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "hmmm\u2026http://palander.stjernstrom.se/", "https://hello.riskxchange.co/api/mailings/unsubscribe", "https://jviwczq.zc-apple.com/", "https://securityaffairs.com/", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "supplierportal.gov2x.com", "remotewd.com x 34 devices", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "iot.insitemaxdev.gov2x.com", "https://www.mlkfoundation.net/ (Foundry DGA)", "Sabey , Ahmann, Quasi Government, Government", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "Trojan:Win32/Zombie.A FileHash-SHA256 ff43920cf098063475b4c62cd63e550fb783e3be1cf7458688b5c1d2d94c6830", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Hoc Working", "APT 10" ], "malware_families": [ "Cve-2025-42957", "Cve-2023-27997", "Trojanclicker:win32/frosparf", "Sova", "Trojan:win32/qqpass", "Bayrob", ".a , alf:heraklezeval:pws:win32/ldpinch!rfn", "!#lowfiwritemzinunusualextension", "Worm:win32/autorun!atmn", "Pegasus", "Onelouder", "Win.trojan.emotet-9850453-0", "#lowfi:hookwowlow", "Sf:shellcode-au\\ [trj]", "!#addscopytostartup", "Elf:mirai-bz\\ [trj]", "Win32:trojano-chf\\ [trj]", "\"prepending (enc) ransomware\" (not an official name)", "Trojandownloader:win32/fosniw", "Alf:program:win32/webcompanion", "Virtool:win32/ceeinject.gen!ah", "Win.malware.installcore-6950365-0", "Alf:heraklezeval:trojan:win32/salgorea!rfn", "Win.trojan.cobaltstrike-9044898-1", "Andromeda", "Unix.trojan.mirai-6976991-0", "Apt 10", "Pws:win32/ymacco.aa50", "Mirai", "Backdoor:linux/mirai.b", "Worm:win32/mofksys.rnd!mtb", "Trojan:win32/zombie.a", "Sality", "Alf:trojan:win32/anorocuriv.a", "Slf:win64/cobpipe.a", "Trojandownloader:win32/cutwail.bs", "Win.trojan.pushdo-15", "Nivdort checkin", "Win.trojan.vbgeneric-6735875-0", "Win32:evo-gen\\ [susp]", "Mirai_botnet_malware", "Koobface", "Win.downloader.3867-1" ], "industries": [ "Golfing", "Legal", "Critical infrastructure", "Education", "Technology", "Healthcare", "Retail", "Government", "Manufacturing" ], "unique_indicators": 98155 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/joewa.com", "whois": "http://whois.domaintools.com/joewa.com", "domain": "joewa.com", "hostname": "36ads.joewa.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6976d69ecbc0497f97e28618", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:10.502000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6a601f06adcd1ed22fc", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:18.022000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6976d6afd744c55bd596ed6e", "name": "Sprouts Farmers Market - Apple Product Access Attack | Pegasus | EndGame (01.25.26)", "description": "Suspicious redirect on an infected Apple product. Pegasus auto populated. Targets positive for Pegasus Hit List. Brian Sabey , Christopher P. Ahmann , State of Colorado quasi government entities. \n\nPegasus isn\u2019t obviously seen in this pulse. Next pulse will show Installer.\n[OTX Auto Populated- LevelBlue - Open Threat Exchange - Why?] \n#ProjecctEndgame #Pegasus #Sprouts #SuspiciousRedirect #Malicious_Coding #Hello", "modified": "2026-02-25T02:03:02.441000", "created": "2026-01-26T02:51:27.248000", "tags": [ "united", "error", "port", "destination", "host", "tlsv1", "intel", "ms windows", "worm", "delphi", "write", "malware", "suspicious", "autorun", "bloat", "checkin", "google", "drive", "cape", "lowfi", "hookwowlow dec", "passive dns", "mtb jan", "mtb nov", "hookwowlow nov", "twitter", "trojandropper", "virtool", "win32", "susp", "hookwowlow", "injection", "please", "x msedge", "ipv4 add", "urls", "dynamicloader", "windows", "professional", "delete c", "tls issuing", "x005x00xc0", "xc0xc0", "xc0nxc0tx00jx00", "stwa", "lredmond", "explorer", "powershell", "accept", "corporation10", "trojan", "pegasus", "url add", "http", "hostname", "files domain", "files related", "related tags", "present sep", "present aug", "redacted for", "ip address", "search", "unknown cname", "memcommit", "default", "sectigo limited", "read c", "gb st", "inprocserver32", "sectigo public", "defender", "next", "present jan", "spain", "domain add", "files", "asn as15169", "flag", "click", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "ck techniques", "mitre att", "ck matrix", "starfield", "hybrid", "general", "path", "strings", "extraction", "data upload", "failed", "include review", "exclude sugges", "stop data", "levelblue", "open threat", "url https", "none google", "url http", "no expiration", "iocs", "domain", "pdf report", "pcap", "stix", "openioc", "ocs to", "exclude", "suggesteu", "find s", "snow", "aitypes", "suspicious_redirect", "url_encoding", "present dec", "unknown aaaa", "present oct", "record value", "body", "encrypt", "access att", "link initial", "ascii text", "pattern match", "sha256", "show technique", "iframe", "local", "united states", "brian sabey", "christopher p. ahmann", "black rock", "td td", "td tr", "a td", "dynamic dns", "meta name", "strong", "static dns", "date", "null", "enough", "hosts", "fast" ], "references": [ "Sprouts Farmers Market", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2", "https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?", "Pegasus | A targets devices are obviously infiltrated", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi", "Alerts: cape_detected_threat https_ urls", "IP\u2019s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252", "Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog", "Domains Contacted: drive.usercontent.google.com", "ConventionEngine_Anomaly_MultiPDB_Double", "https://jviwczq.zc-apple.com/", "SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx", "Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,", "Malware Hosting: 13.107.226.70", "Scanning Host: 13.107.246.70", "https://blog.endgames.com/ \u2022 https://pages.endgames.com \u2022 https://www.endgames.com", "http://www.endgames.com \u2022 http://www.endgames.com/ \u2022 https://blog.endgames.com \u2022 http://pages.endgames.com/", "pages.endgames.com\u2022 http://blog.endgames.com \u2022 http://blog.endgames.com/ \u2022 http://pages.endgames.com", "www.endgame.com \u2022 blog.endgames.com \u2022 blog.endgames.us \u2022 blog.endgamesystems.com\t\u2022 www.onyx-ware.com", "https://wg41xm05b3.endgamesystems.com/ \u2022 https://www.endgamesystems.com \u2022 https://www.endgamesystems.com/", "endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "endgames.us \u2022 endgames.com \u2022 endgamesystems.com \u2022 http://www.endgames.us \u2022 http://www.endgames.us/", "https://wg41xm05b3.endgamesystems.com \u2022 http://blog.endgames.us/ \u2022 http://blog.endgames.us", "https://blog.endgamesystems.com \u2022 https://blog.endgamesystems.com/ \u2022 https://httpswww.endgamesystems.com", "https://blog.endgames.us \u2022 https://blog.endgames.us/ \u2022 https://www.endgames.us \u2022 https://www.endgames.us/", "wg41xm05b3.endgamesystems.com \u2022 http://blog.endgamesystems.com \u2022 http://blog.endgamesystems.com/", "http://httpswww.endgamesystems.com \u2022 http://wg41xm05b3.endgamesystems.com \u2022 http://www.endgamesystems.com/", "http://wg41xm05b3.endgamesystems.com/ \u2022http://www.endgamesystems.com", "sprouts@em.sprouts.com?", "http://blackrock.work.gd/", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io/", "blackbox-exporter.lenovo-k8s.home.local.advena.io", "https://blackbox-exporter.lenovo-k8s.home.local.advena.io", "http://blackbox-exporter.lenovo-k8s.home.local.advena.io", "supplierportal.gov2x.com", "http://wonporn.com/top/Pakistani_Sucking", "https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo", "https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303", "supply.qld.gov.au", "okta-dev.gov2x.com", "verify.gov.tl", "api.optimizer.insitemaxdev.gov2x.com", "iot.insitemaxdev.gov2x.com", "https://kb.drakesoftware.com/Site/Browse/15183/State", "https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW", "freedns.afraid.org", "https://hello.riskxchange.co/api/mailings/unsubscribe", "Sabey , Ahmann, Quasi Government, Government" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453-0", "display_name": "Win.Trojan.Emotet-9850453-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "#LowFI:HookwowLow", "display_name": "#LowFI:HookwowLow", "target": null }, { "id": "Win.Trojan.CobaltStrike-9044898-1", "display_name": "Win.Trojan.CobaltStrike-9044898-1", "target": null }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "SLF:Win64/CobPipe.A", "display_name": "SLF:Win64/CobPipe.A", "target": "/malware/SLF:Win64/CobPipe.A" }, { "id": "ALF:Program:Win32/Webcompanion", "display_name": "ALF:Program:Win32/Webcompanion", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "ALF:Trojan:Win32/Anorocuriv.A", "display_name": "ALF:Trojan:Win32/Anorocuriv.A", "target": null }, { "id": "Sf:ShellCode-AU\\ [Trj]", "display_name": "Sf:ShellCode-AU\\ [Trj]", "target": null }, { "id": "Win.Trojan.Pushdo-15", "display_name": "Win.Trojan.Pushdo-15", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Win32:Trojano-CHF\\ [Trj]", "display_name": "Win32:Trojano-CHF\\ [Trj]", "target": null }, { "id": "Win.Downloader.3867-1", "display_name": "Win.Downloader.3867-1", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null }, { "id": "Virtool:Win32/CeeInject.gen!AH", "display_name": "Virtool:Win32/CeeInject.gen!AH", "target": "/malware/Virtool:Win32/CeeInject.gen!AH" }, { "id": "Pegasus", "display_name": "Pegasus", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1456", "name": "Drive-by Compromise", "display_name": "T1456 - Drive-by Compromise" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1055.008", "name": "Ptrace System Calls", "display_name": "T1055.008 - Ptrace System Calls" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [ "Retail", "Government", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12640, "hostname": 4429, "email": 7, "domain": 1250, "FileHash-SHA256": 1633, "FileHash-MD5": 278, "FileHash-SHA1": 343, "SSLCertFingerprint": 17 }, "indicator_count": 20597, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fd0cc422cea2fd989581fd", "name": "LevelBlue - Open Threat Exchange (Malicious Attacks)", "description": "I\u2019ll\nrefer to these bad actors as the .lol .fun group. London, Australia , South Africa with US base External resources. With this group, you e probably met though attackers.. OTX errors! Difficult to pulse. There are some profiles in here that are shady and attempt or do co connect to your products. They usually begin social engineering by saying that you have a \u2018problem\u2019 just like they do. Say they are from Canada or\nFrance , somewhere abroad when they are down the street using your services. There was user \u2018Merkd\u2019 whose entire system seem to become infected by someone or someone about this platform. Check the IP address at all\nTo see if it matches or is on the same block as OTC, region will show as well. Hackers may potentially cnc / move your profile on their own block. What happened today was weird. Alien Vault became a PHP and turned bright pink and black, requesting I download page. Keep your systems locked down if you\u2019re researching not reporting vulnerabilities.", "modified": "2025-11-24T17:02:12.441000", "created": "2025-10-25T17:45:40.291000", "tags": [ "ipv4", "levelblue", "open threat", "date sat", "connection", "etag w", "cloudfront", "sameorigin age", "vary", "ip address", "kb body", "gtmkvjvztk", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "learn", "exchange og", "levelblue open", "threat exchange", "exchange", "google tag", "iocs", "search otx", "included iocs", "review iocs", "data upload", "extraction", "layer protocol", "v full", "reports v", "port t1571", "t1573", "oc0006 http", "c0014", "get http", "dns resolutions", "user", "data", "datacrashpad", "edge", "tag manager", "us er", "help files", "shell", "html", "cve202323397", "iframe tags", "community score", "url http", "url https", "united", "united kingdom", "netherlands", "search", "type indicator", "role title", "added active", "related pulses", "indicator role", "title added", "active related", "otc oct", "report spam", "week ago", "scan", "learn more", "filehashmd5", "filehashsha1", "domain", "australia", "does", "josh", "created", "filehashsha256", "present jul", "present oct", "date", "a domains", "script urls", "for privacy", "moved", "script domains", "meta", "title", "body", "pragma", "encrypt", "ck ids", "t1060", "run keys", "startup", "folder", "t1027", "files", "information", "t1055", "injection", "capture", "south korea", "malaysia", "pulses", "fatal error", "hacker known", "name", "unknown", "risk", "weeks ago", "scary", "sova", "colorado", "wire", "name unknown", "thursday", "denver", "types of", "indicators hong", "kong", "tsara brashears", "african", "ethiopia", "b8reactjs", "india", "america", "x ua", "hostname", "dicator role", "pulses url", "airplane", "icator role", "t1432", "access contact", "list", "t1525", "image", "security scan", "heuristic oct", "discovery", "t1069", "t1071", "protocol", "t1105", "tool transfer", "t1114", "t1480", "internal image", "brian sabey", "month ago", "modified", "days ago", "green well", "sabey stash", "service", "t1040", "sniffing", "t1045", "packing", "t1053", "taskjob" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sova", "display_name": "Sova", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 956, "FileHash-SHA1": 906, "FileHash-SHA256": 2651, "URL": 4450, "domain": 708, "hostname": 2403, "CVE": 1, "email": 5 }, "indicator_count": 12080, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edc1c2be848e73a32ab9ba", "name": "Fatal Error - Hacker Known \u2022 Name Unknown | Lives @ risk", "description": "I am connected to targeteds phone. My location is autonomous _ will show up in Colorado most likely. \n\nScary, this weekend a woman dressed like a peasant somehow managed to give me a letter past Thursday with information about a death in the 11th floor of an Apartment in Denver. The Sova. Alleged drug overdose may have actually been a homicide, I sound & feel crazy, there were names inside , emails , plans for Airplane attacks affecting civilians this month. I couldn\u2019t, wouldn\u2019t create this. Apparently UK born citizens sponsored by a Google hierarchy were able to weave their way into the lives a family member & Tsara Brashears . These are white males, anlso involved are citizens from African, Ethiopia, India and America deeply involved. They used fake names and I have said too much. If there is an helpful person on here please help!!! There\nis worse and it might be legal hits to insight money for war!\n#nso_related", "modified": "2025-11-13T02:02:12.454000", "created": "2025-10-14T03:21:38.305000", "tags": [ "pulses ipv4", "ipv4", "div div", "united", "script script", "a li", "present jul", "param", "entries", "present aug", "certificate", "global domains", "date", "title", "class", "meta", "agent", "stack", "life", "a domains", "passive dns", "urls", "ok server", "gmt content", "type", "hostname add", "pulse pulses", "files", "win32mydoom oct", "trojan", "next associated", "pulse", "reverse dns", "twitter", "body", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "yara rule", "ff d5", "ascii text", "f0 ff", "eb e1", "unknown", "copy", "write", "malware", "push", "next", "autorun", "suspicious", "ip address", "unknown ns", "unknown aaaa", "ipv4 add", "location united", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ck id", "show technique", "mitre att", "path", "error", "fatalerror", "general", "hybrid", "local", "click", "strings", "filehashsha256", "filehashmd5", "filehashsha1", "iist", "malware family", "mydoom att", "ck ids", "t1060", "run keys", "indicator role", "title added", "active related", "showing", "url https", "url http", "startup", "folder", "web protocols", "t1105", "tool transfer", "indicators hong", "kong", "china", "germany", "australia", "search", "type indicator", "role title", "added active", "related pulses", "wire", "t1071" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2724, "hostname": 1212, "domain": 410, "FileHash-MD5": 408, "email": 9, "FileHash-SHA256": 604, "FileHash-SHA1": 307 }, "indicator_count": 5674, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb233ba91aa1eb958b3f31", "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022 OneLouder", "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea", "modified": "2025-10-17T19:03:15.031000", "created": "2025-09-17T21:08:11.518000", "tags": [ "script urls", "meta", "moved", "x tec", "passive dns", "encrypt", "america flag", "san francisco", "extraction", "data upload", "type indicatod", "united states", "a domains", "united", "gmt server", "jose", "university", "bill", "rmhs", "information", "board", "lorin", "joseph", "all veterans", "rocky mountain", "mission", "vice", "april", "school", "austin", "prior", "ipv4 add", "urls", "files", "location united", "wordpress", "rmhs meta", "tags viewport", "rmhs og", "rmhs article", "wpbakery page", "builder", "slider plugin", "google tag", "mountain human", "denver", "connecting", "denver start", "relevance home", "providers", "contact us", "rmhs main", "server", "redacted tech", "redacted admin", "registrar abuse", "algorithm", "key identifier", "x509v3 subject", "dnssec", "country", "ttl value", "graph summary", "resolved ips", "ip address", "port", "data", "screenshots no", "involved direct", "country name", "name response", "tcp connections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "found", "spawns", "t1590 gather", "path", "ascii text", "exif standard", "tiff image", "format", "stop", "false", "soldier", "model", "youth", "baby", "june", "general", "local", "click", "strings", "core", "warrior", "green", "emotion", "flash", "nina", "hunk", "fono", "daam", "mitre att", "ck techniques", "id name", "malicious", "windows nt", "win64", "khtml", "gecko", "brand", "microsoft edge", "show process", "self", "date", "comspec", "hybrid", "form", "log id", "gmtn", "tls web", "b2 f6", "b0n timestamp", "f9401a", "record value", "x wix", "certificate", "domain add", "pulse submit", "body", "domain related", "blackbox", "apple", "helix", "dvrdns", "tracking", "remote access", "ios", "spyware", "hoax", "dynamicloader", "ptls6", "medium", "flashpix", "high", "ygjpavclsline", "officespace", "chartshared", "powershell", "write", "malware", "ygjpaulscontext", "status", "japan unknown", "domain", "pulses", "search", "accept", "apt10", "trojanspy", "win32", "entries", "susp", "backdoor", "useragent", "showing", "virtool", "twitter", "mozilla", "trojandropper", "trojan", "title", "onelouder", "yara det", "maware samoe", "genaco x", "ids detec", "ids terse", "win3 data", "include review", "exclude sugges", "targeting", "show", "copy", "reads", "dynamic", "vendor finding", "notes clamav", "files matching", "number", "sample analysis", "hide samples", "date hash", "next yara" ], "references": [ "rmhumanservices.org", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt", "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt", "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe", "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/", "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound", "https://www.mlkfoundation.net/ (Foundry DGA)", "remotewd.com x 34 devices", "South Africa based: remote.advisoroffice.com", "acc.lehigtapp.com - malware", "http://watchhers.net/index.php (espionage entity /palantir relationship - seen before with palantir and Pegasus sometimes simultaneously )", "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022 emails.redvue.com \u2022", "Active - pointing: https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635", "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar", "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/", "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting", "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE", "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net", "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2", "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)", "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname", "1.organization.api.powerplatform.partner.microsoftonline.cn", "chinaeast2.admin.api.powerautomate.cn", "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/", "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A", "ssa-gov.authorizeddns", "hmmm\u2026http://palander.stjernstrom.se/", "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU" ], "public": 1, "adversary": "APT 10", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "APT 10", "display_name": "APT 10", "target": null }, { "id": "OneLouder", "display_name": "OneLouder", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "KoobFace", "display_name": "KoobFace", "target": null }, { "id": "Bayrob", "display_name": "Bayrob", "target": null }, { "id": "Nivdort Checkin", "display_name": "Nivdort Checkin", "target": null }, { "id": "Win.Malware.Installcore-6950365-0", "display_name": "Win.Malware.Installcore-6950365-0", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Golfing", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 690, "hostname": 1912, "URL": 5925, "FileHash-SHA1": 273, "email": 8, "FileHash-SHA256": 3618, "CIDR": 3, "FileHash-MD5": 254, "SSLCertFingerprint": 19, "CVE": 2 }, "indicator_count": 12704, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "183 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc8015944465ffa1c03148", "name": "Security Affairs affecting Critical Infrastructure", "description": "Security affairs.com found in a State Policy & Financing website research due to social engineering & insurance policies hacking scheme. \u2022 SecurityAffairs.com statement: The website specializes in cybersecurity and its related fields, providing insights into current threats and trends. \nContent:\nIt features news articles, investigative reports, and analyses from experts in the field. \nTopics:\nContent often includes discussions on:\ncybercrime,\ncybersecurity trends ,\nintelligence and geopolitics,\nemerging threats. (I can\u2019t verify because idk).\n\n(Auto populated: 335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997)\nAdversary auto populated: Suggested Adversaries:\nMember Ad-Hoc Working ADVERSARIES Group on Cyber Threat Landscapes, Ethical Hacker, Security Evangelist", "modified": "2025-10-06T18:03:15.359000", "created": "2025-09-06T18:40:21.276000", "tags": [ "script urls", "security", "script domains", "ip address", "meta", "stealth window", "reads_self", "creates_largekey", "dynamic_function_loading", "script_created_process", "antivm_generic_disk", "ids", "infostealer_cookies", "infostealer_keylog", "custom malware", "suspicious_command_tools", "antisandbox_mouse_hook", "dynamicloader", "tlsv1", "ogoogle trust", "cngts ca", "tls handshake", "failure", "united", "high", "search", "write", "malware", "unknown", "extraction", "data upload", "extraction data", "enter soudae", "hdi ad", "temdac c", "extri", "include review", "trojandropper", "mtb jun", "passive dns", "files", "location united", "twitter", "exploit", "delete c", "intel", "ms windows", "medium", "pe32", "port", "destination", "present sep", "a domains", "creation date", "error", "title", "android", "known exploited", "google", "salesloft drift", "qantas", "july", "meetc2", "c2 framework", "google calendar", "apis", "critical", "rokrat", "windows", "tags none", "file type", "virustotal api", "screenshots", "comments", "learn", "suspicious", "informative", "adversaries", "ck id", "name tactics", "command", "defense evasion", "spawns", "t1590 gather", "copy md5", "copy sha1", "copy sha256", "additional info", "yara signature", "unicode text", "utf8 text", "idat", "style", "defs", "command decode", "strings", "yxgbc", "core", "flag", "date", "markmonitor", "server", "automattic", "name server", "proxy", "llc name", "windir", "pattern match", "mitre att", "show technique", "ck matrix", "sha1", "show process", "hybrid", "general", "local", "path", "encrypt", "form", "iframe", "click", "server response", "google safe", "results aug", "affairs", "founder", "cybhorus", "cybaze", "member adhoc", "working group", "cyber threat", "landscapes", "ethical hacker", "hoc working", "ssl certificate", "initial access", "href", "ascii text" ], "references": [ "https://securityaffairs.com/", "/181480/cyber-crime/iot-under-siege-the-return-of-the-mirai-based-gayfemboy-botnet.html", "https://securityaffairs.com/106770/deep-web/ubereats-data-leaked-dark-web.html", "https://securityaffairs.com/107190/data-breach/sodinokibi-ransomware-brown-forman.html", "https://securityaffairs.com/115693/apt/chinese-hackers-5g.html", "https://securityaffairs.com/109224/data-breach/food-delivery-service-chowbus-hack.html", "https://securityaffairs.com/112637/cyber-crime/the-hospital-group-revil.html", "https://securityaffairs.com/139472/data-breach/commonspirit-data-breach-623k-patients.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "https://securityaffairs.com/148110/hackinq/fortinet-fortios-vulnerable-devices-online.html", "Multiple other undocumented malware" ], "public": 1, "adversary": "Hoc Working", "targeted_countries": [], "malware_families": [ { "id": "!#AddsCopyToStartup", "display_name": "!#AddsCopyToStartup", "target": null }, { "id": "!#LowFiWriteMZInUnusualExtension", "display_name": "!#LowFiWriteMZInUnusualExtension", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "\"prepending (enc) ransomware\" (Not an official name)", "display_name": "\"prepending (enc) ransomware\" (Not an official name)", "target": null }, { "id": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": ".A , ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Salgorea!rfn", "target": null }, { "id": "CVE-2025-42957", "display_name": "CVE-2025-42957", "target": null }, { "id": "CVE-2023-27997", "display_name": "CVE-2023-27997", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Manufacturing", "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 187, "FileHash-SHA1": 152, "FileHash-SHA256": 1140, "URL": 1258, "domain": 237, "email": 1, "hostname": 470, "SSLCertFingerprint": 17, "CVE": 3 }, "indicator_count": 3465, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689d5115ad786de4ff048e5b", "name": "TEL:ECCert!SSLCO | Mirai Malware Hosting | Multi user Tracker", "description": "https://api.mirai.com/MiraiWebService/passbook/180823-77257/4001645 [Malware hosting]\n*TEL:ECCert!SSLCO\nYARA Detections:\nDelphi\nThis program must be run under Win32\ncompilers.\nCode Overlap of Trojan Droppers Backdoors , TrojanSpy\n\n\n#injection_inter_process\n#creates_largekey\n#network_bind\n#ransomware_file_modifications\n#antivm_generic_bios\n#antivm_generic_disk\n#enumerates_physical_drives\n#physical_drive_access\n#deletes_executed_files\n#recon_fingerprint\n#suspicious_command_tools\n#anomalous_deletefile\n#antisandbox_sleep\n#dead_connect\n#dynamic_function_loading\n#http_request\n#ipc_namedpipe\n#network_anomaly\n#powershell_download\n#powershell_request #track #locate #remote_access", "modified": "2025-09-13T02:00:42.729000", "created": "2025-08-14T02:59:33.036000", "tags": [ "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "present sep", "united", "present aug", "present jul", "present jun", "moved", "unknown ns", "present may", "present apr", "passive dns", "date", "encrypt", "body", "cookie", "gmt server", "content type", "dynamicloader", "medium", "x17x03x01", "download studio", "high", "read c", "show", "windows", "copy", "powershell", "write", "anomaly", "next", "unknown", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "yara detections", "delphi", "codeoverlap", "win32", "rgba", "memcommit", "delete", "png image", "hash", "dock", "execution", "malware", "wine emulator", "dynamic", "msie", "windows nt", "wow64", "slcc2", "media center", "capture", "persistence", "sha256", "submitted", "copy md5", "copy sha1", "copy sha256", "sha1", "script", "mitre att", "ck id", "show technique", "ck matrix", "null", "august", "span", "refresh", "meta", "mirai", "february", "april", "june", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "caribe", "rest", "accept", "friday", "look", "verify", "restart" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6211, "domain": 682, "hostname": 1661, "FileHash-MD5": 117, "FileHash-SHA1": 100, "FileHash-SHA256": 1386, "SSLCertFingerprint": 5 }, "indicator_count": 10162, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "218 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688f3a54e7db6a02a7bb25c9", "name": "Bank of America - Gafgyt \u2022 TrojanSpy \u2022 South African Service Center (BotNet)", "description": "Bank of America South African Service Center BotNet - IoT botnet Gafgyt targets popular routers through RCE vulnerabilities, also known as BASHLITE, discovered in 2014. It is a Linux-based Mirai related IoT botnet \u2022\n 197.221.2.3 - www.readersareleaders.co.za\twww.readersareleaders.co.za\t[South Africa] AS37153 african network information center\nThis is the call center affecting multiple entities, targeting involved. Affects AllState [Esurance = NGIC? ] BoFa \u2022 T-mobile | MetroBy T\u2022 Mobile \u2022 .\nWhy is Bank of America so sketchy? \n[remote.dekro.co.za]", "modified": "2025-09-02T09:02:13.372000", "created": "2025-08-03T10:30:43.521000", "tags": [ "dynamicloader", "medium", "write c", "entries", "show", "search", "http traffic", "utf8", "crlf line", "post", "trojanspy", "copy", "powershell", "write", "delphi", "win32", "next", "graphics", "gaz company", "turbo exe", "company turbo", "code", "malware", "dcom", "execution", "error", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "development att", "defense evasion", "south africa", "td tr", "unknown a", "td td", "tbody", "tr tr", "passive dns", "ddos", "next associated", "body", "click", "unknown soa", "unknown cname", "location south", "africa asn", "as37153", "pulses none", "related tags", "none indicator", "facts", "asn as37153", "associated urls", "date checked", "url hostname", "server response", "ip address", "mtb oct", "date", "united", "urls", "ov ssl", "record value", "object", "pulse", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "show technique", "ck matrix", "pattern match", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "strings", "tools", "look", "verify", "restart", "t1480 execution" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 732, "domain": 175, "hostname": 470, "FileHash-SHA256": 346, "FileHash-MD5": 141, "FileHash-SHA1": 132, "email": 1 }, "indicator_count": 1997, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688e31b80edd775fe5d2f34f", "name": "Social Engineering led to -#Lowfi:HSTR:Win32/iWin.B", "description": "Likely: Phone referral led to an in person meeting, financial transaction, telephone numbers exchange, website click, in home service call. The alternative is compromised target was redirected to malicious host or service provider became compromised by targeted persons issue.\nThere are several targeted people. This person is closely associated with a target.(idk -malicious)\nMitre: T1055.015\tListPlanting\t\nDefense Evasion\nPrivilege Escalation\nAdversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:41:44.319000", "tags": [ "united", "search", "moved", "ip address", "creation date", "record value", "date", "gmt server", "gmt content", "certificate", "apache", "encrypt", "gmt path", "set cookie", "httponly", "passive dns", "urls", "address", "meta", "dynamicloader", "write c", "medium", "tlsv1", "show", "entries", "high", "http", "copy", "upatre", "write", "unknown", "asn15169", "google", "asn46606", "unifiedlayeras1", "frankfurt", "main", "germany", "google safe", "browsing", "script urls", "a domains", "libs", "monstroid2", "link", "accept encoding", "script domains", "title", "vary", "jquery", "pulse pulses", "hostname xn", "files domain", "showing", "next associated", "urls show", "date checked", "url hostname", "server response", "present jul", "for privacy", "roboto", "delete", "trojan", "globalc", "mozilla", "guard", "malware", "iwin", "local", "lowfi", "helper", "nsisdl", "executable", "amazon s3", "pe exe", "dll windows", "http yara", "alerts", "meta http", "content", "pragma", "content type", "body", "service", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "found", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "windows nt", "mitre att", "ascii text", "show technique", "path", "span", "click", "august", "hybrid", "general", "strings", "footer", "ck matrix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 460, "hostname": 744, "URL": 3496, "email": 4, "domain": 394, "FileHash-SHA256": 2072, "FileHash-MD5": 464, "SSLCertFingerprint": 7 }, "indicator_count": 7641, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://36ads.joewa.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://36ads.joewa.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776622123.9526272 }