{ "type": "URL", "indicator": "https://4.environment.api.ppusercontent.partner.microsoftonline.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://4.environment.api.ppusercontent.partner.microsoftonline.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4142064251, "indicator": "https://4.environment.api.ppusercontent.partner.microsoftonline.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69aa003c63c19b7be7671c65", "name": "re post by Q.Vashti cloned", "description": "", "modified": "2026-03-06T05:11:14.366000", "created": "2026-03-05T22:14:20.388000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "68ffa35cd4eefffa0ffbeae1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 179, "URL": 1615, "hostname": 946, "CVE": 1 }, "indicator_count": 4256, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ffa35cd4eefffa0ffbeae1", "name": "Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked and they\u2019d gain full CnC of your devices and disappear\u2026", "description": "Sample of FAKE attorneys Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked, they\u2019d gain full CnC of devices & disappear into the background , stealing from cloud, spying, etc..Mafia & Government ties. https://magento.hirecar.net/\n*Unix.Dropper.Mirai-7338044\n*Virus:Win32/Virut.BO\n*Trojan:Win32/Delf.EM\n*DDoS.XOR\n*Backdoor.Win32.Shiz.ivr, *Backdoor.Win32/Simda.gen!A\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*nUFS_html\n*Trojanspy:Win32/Nivdort.CB\n*Win32/Nystprac.A *Ramnit\n*Win32:Sality *Upatre\n*Possible_QuasarRAT_Payload\nxor_0x15_xord_javascript\ninvalid_trailer_structure\n#fp539598-VBS/LoveLetter.BT\n*Trojanspy:Win32/Nivdort.CB\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*Trojan:Win64/Gapro\n\u201cMethodology_RareEquities_Tencent_Proxy\u201d\nvad_contains_network_strings\n*Trojan:Win32/Sisproc!gmb\n*TrojanDownloader:Win32/Upatre\n*PWS:MSIL/Grmasi.YA!MTB\n*Trojan:Win32/Danabot.G\n *Virus:Win32/Virut.EPO\n* Ramnit\nConventionEngine_Term_NewFolder", "modified": "2025-11-26T13:01:56.367000", "created": "2025-10-27T16:52:44.619000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 178, "URL": 1615, "hostname": 944 }, "indicator_count": 4252, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9372439f9a3973097393f", "name": "South African actors are criminally insane Palantir product abusers or employees", "description": "Attempting to wip disks and delete files. Threat actors nearby. \u2018Endgame\u2019 project typically found alongside Project Hilo , Project Helix , Palantir and Foundry. I\u2019m just researching to solve what I thought would be far less complex issues. Stop doing this. Target rarely left house after contact with \u2018watcher\u2019 \u2018MVA by a young 22 year old male also left victim in fear til the end. \nI\u2019m going to call out on anyone pretending to be some else \u2018stop making contact with targets family and associates.\u2019 No one has been pursued or paid for crimes against target. This needs to end.\n\nSouth African actors are criminally insane Palantir product users or employees \n\n#phishing + malware , dns , file deletion attacks. \n\n[OTX auto populated The following is the full text of Entrust, Inc. - for the use of the terms \"entrust\" and \"sassa.gov.za\" - in terms of terms and conditions. ]\n\nIt makes sense. I\u2019m in town. 5 blocks away heading towards SoBo. Hi! Stop", "modified": "2025-11-21T19:01:20.179000", "created": "2025-10-22T19:57:24.562000", "tags": [ "passive dns", "urls", "related nids", "files location", "south africa", "flag south", "africa hostname", "files domain", "files", "entrust", "mulweli", "create c", "read c", "delete", "write", "search", "show", "create", "medium", "showing", "unicode", "next", "dock", "execution", "copy", "t1199", "relationship", "t1561", "wipe", "t1053", "taskjob", "t1055", "injection", "t1056", "capture", "url https", "url http", "malware attacks", "find encrypted", "indicator role", "title added", "active related", "pulses url", "city", "county", "otx auto", "title", "net security", "tags" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 597, "domain": 78, "hostname": 270, "FileHash-SHA256": 183, "FileHash-MD5": 19, "FileHash-SHA1": 5 }, "indicator_count": 1152, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: packer_unknown", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "config.uca.cloud.unity3d.com", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "sipphone.com", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "http://freedns.afraid.org/images/apple.gif", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "https://www.mumuplayer.com/redirect/customerservice/_wig", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "External Apple Connection: Notepad.pw", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "http://consolefoundry.date/one/gate.php", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://www.mohurd.gov.cn.lxcvc.com/", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy.", "Malicious IP Contacted: 69.42.215.252" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Quickstart", "TAM Legal Christopher P. Ahmann Chief Terrorist" ], "malware_families": [ "Multiple malware attack", "Win.packed.remcos-10024510-0", "Win.trojan.blacknetrat-7838854-0", "Lockbit", "Psw:win32/vb.cu", "Alf:heraklezeval:pua:win32/ultradownloads", "Worm:win32/autorun!atmn", "Win.malware.004bf-6866449-0", "Other malware", "Win.trojan.emotet-9850453", "Other dangerous malware", "Win.dropper.nanocore-10021490-0", "Worn:win32/autorun.xxy!bit", "Custom malware", "Code overlap" ], "industries": [ "Technology", "Healthcare", "Telecommunications", "Government", "Oil", "Legal" ], "unique_indicators": 47509 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoftonline.cn", "whois": "http://whois.domaintools.com/microsoftonline.cn", "domain": "microsoftonline.cn", "hostname": "4.environment.api.ppusercontent.partner.microsoftonline.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69aa003c63c19b7be7671c65", "name": "re post by Q.Vashti cloned", "description": "", "modified": "2026-03-06T05:11:14.366000", "created": "2026-03-05T22:14:20.388000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "68ffa35cd4eefffa0ffbeae1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 179, "URL": 1615, "hostname": 946, "CVE": 1 }, "indicator_count": 4256, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e9b142a8508d5257d1662", "name": "Criminal Defender Chris Ahmann responsible for continued Apple hackathons removing IoC\u2019 l Targeting Tsara Brashears evidence of crime . Hit Man", "description": "", "modified": "2026-01-01T07:03:18.851000", "created": "2025-12-02T07:53:56.560000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "6907cc66855b7dfe1306b0d8", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7437, "hostname": 1765, "domain": 686, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13259, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907f7e98289b75f3e5ecaba", "name": "- Treece Alfrey Musat P.C. - Malicious Legal Google Botnet", "description": "Christopher P.\nAhmann\u2019s Google Botnet. Defense attorneys fighting worker\u2019s compensation case and ruining a targets life for years. Malicious.[OTX auto popular-HOSTNAME: Google Video.com (GOOGlevideo.COM), an unauthorised website, has been blocked by the internet service regulator, the regulator of the domain registry.]\n\n#pulsed_by_otx #private_google #legal_goigle #malicious_practices", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-03T00:31:37.396000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69138421066f81131da59cc5", "name": "Malicious Legal Google Botnet - Treece Alfrey Musat P.C.\u2022 Christopher P. Ahmann Spam - Malicious ", "description": "", "modified": "2025-12-03T00:01:23.660000", "created": "2025-11-11T18:44:49.343000", "tags": [ "status", "date", "name servers", "lowfi", "passive dns", "urls", "domain", "susp", "win32", "search", "win64", "error", "url https", "url http", "ipv4", "type indicator", "role title", "added active", "related pulses", "morocco", "united kingdom", "united", "present nov", "aaaa", "present oct", "cname", "brazil", "malaysia", "title", "present jun", "ip address", "creation date", "record value", "emails", "unknown aaaa", "body", "url add", "pulse pulses", "http", "related nids", "files location", "flag united", "trojan", "trojandropper", "virtool", "entries", "next associated", "ipv4 add", "unknown ns", "present jul", "present sep", "present aug", "win32upatre nov", "candyopen", "tlsv1", "port", "destination", "ogoogle trust", "cngts ca", "show", "read c", "youtube", "copy", "dock", "write", "next", "malware", "persistence", "execution", "filehashmd5", "hostname", "filehashsha256", "types of", "germany", "poland", "indicator role", "title added", "active related", "pulses url", "p1377925676", "gaz1", "sid1696503456", "sct1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6907f7e98289b75f3e5ecaba", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 400, "URL": 2857, "FileHash-MD5": 217, "FileHash-SHA1": 172, "FileHash-SHA256": 1426, "email": 6, "hostname": 1019, "SSLCertFingerprint": 6 }, "indicator_count": 6103, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "137 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ffa35cd4eefffa0ffbeae1", "name": "Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked and they\u2019d gain full CnC of your devices and disappear\u2026", "description": "Sample of FAKE attorneys Liar Liar! If this were your attorney; you\u2019d pay $$$ to get hacked, they\u2019d gain full CnC of devices & disappear into the background , stealing from cloud, spying, etc..Mafia & Government ties. https://magento.hirecar.net/\n*Unix.Dropper.Mirai-7338044\n*Virus:Win32/Virut.BO\n*Trojan:Win32/Delf.EM\n*DDoS.XOR\n*Backdoor.Win32.Shiz.ivr, *Backdoor.Win32/Simda.gen!A\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*nUFS_html\n*Trojanspy:Win32/Nivdort.CB\n*Win32/Nystprac.A *Ramnit\n*Win32:Sality *Upatre\n*Possible_QuasarRAT_Payload\nxor_0x15_xord_javascript\ninvalid_trailer_structure\n#fp539598-VBS/LoveLetter.BT\n*Trojanspy:Win32/Nivdort.CB\n*Alf:HeraklezEval:DoS:Linux/Xorddos!rfn\n*Trojan:Win64/Gapro\n\u201cMethodology_RareEquities_Tencent_Proxy\u201d\nvad_contains_network_strings\n*Trojan:Win32/Sisproc!gmb\n*TrojanDownloader:Win32/Upatre\n*PWS:MSIL/Grmasi.YA!MTB\n*Trojan:Win32/Danabot.G\n *Virus:Win32/Virut.EPO\n* Ramnit\nConventionEngine_Term_NewFolder", "modified": "2025-11-26T13:01:56.367000", "created": "2025-10-27T16:52:44.619000", "tags": [ "filehashmd5", "filehashsha256", "ipv4", "filehashsha1", "domain", "types", "indicators show", "search", "type indicator", "role title", "added active", "scan", "iocs", "learn more", "related pulses", "url https", "url http", "countrycn", "countrycn sep", "indicator role", "title added", "active related", "pulses url", "xtblogblockid1", "pulses", "zdata0", "browserie", "browserver8", "defaultie", "ver1360122", "defaultch", "browserver11", "filesize", "browserid1", "qmark", "methodpost" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 381, "FileHash-SHA1": 367, "FileHash-SHA256": 767, "domain": 178, "URL": 1615, "hostname": 944 }, "indicator_count": 4252, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a1ef2dd26ec62a3c298c", "name": "Listeners - Malicious Over the top espionage | Cyber Warfare?", "description": "Cyber attacks on targeted devices stored safely, separately, don\u2019t communicate with one another. PalantirFoundry.com shares IP addresses with Fastly. South African IP\u2019s and DGA domains bounce from US Denver , Co based IP and Domain addresses. Registrar Abuse: HTTP/2 404 content type: text/html content length: 2263 date: Wed 22 Oct 2025 22:32:18 GMT server: Envoy\n443 Certificate Subject: US\n443 Certificate Subject: Colorado\n443 Certificate Subject: Denver\n443 Certificate Subject: Palantir Technologies Inc.\n443 Certificate Subject: listeners.usw-19.palantirfoundry.com", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:33:03.315000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9a6f4e35193c04401daaf", "name": "Emotet & VirTool Obsfuscator - Registrar abuse tracking civilians", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-10-23T03:54:28.671000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69069167e1e2a222bd7762f2", "name": "Palantir - Spyware", "description": "", "modified": "2025-11-22T00:01:42.464000", "created": "2025-11-01T23:01:59.339000", "tags": [ "url https", "url http", "hostname", "mulweli", "mphomafmulweli", "indicator role", "ipv4", "type indicator", "added active", "related pulses", "united", "envoy error", "certificate", "urls", "emails", "active related", "africa", "span", "gmt server", "colorado", "denver", "palantir", "listen", "listen linda", "linda listen", "listeners @ dantesdragon", "palantir", "all y", "se referen", "data upload", "extraction", "extra", "referen data", "overview domain", "passive dns", "files ip", "address", "asn asnone", "as14618", "all se", "include review", "exclude sugges", "failed", "typo", "status", "search", "record value", "server", "domain status", "key identifier", "x509v3 subject", "full name", "registrar abuse", "registrar", "data", "v3 serial", "code", "number", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "sha256", "united states", "power query", "microsoft learn", "ordenar por", "foundry", "input", "blocked", "error id", "conector", "por ejemplo", "sensitive", "quickstart", "present aug", "present oct", "unknown ns", "showing", "present sep", "moved", "title", "files", "reverse dns", "location united", "america flag", "america asn", "asnone dns", "resolutions", "dga domain", "ipv4 add", "url analysis", "name servers", "div div", "expiration date", "page", "present nov", "present jan", "present dec", "present mar", "present feb", "virtool", "cryp", "error", "win32", "domain", "ip address", "domain add", "next associated", "pulse pulses", "ashburn", "extr referen", "exclude", "sugges", "pulse submit", "date", "present jul", "present jun", "fastly error", "please", "handle", "entity", "record type", "ttl value", "msms93992282", "read c", "show", "medium", "tlsv1", "whitelisted", "module load", "t1129", "execution", "dock", "write", "persistence", "next", "unknown", "connector", "cybercrime", "harassment" ], "references": [ "Products are being abused. Users are over zealous at blocking targets from basic human rights and privacy." ], "public": 1, "adversary": "Quickstart", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Multiple Malware Attack", "display_name": "Multiple Malware Attack", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" } ], "industries": [ "Technology", "Government" ], "TLP": "green", "cloned_from": "68f9a1ef2dd26ec62a3c298c", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "privacynotacrime", "id": "349346", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2865, "URL": 5728, "email": 11, "FileHash-MD5": 91, "FileHash-SHA1": 75, "FileHash-SHA256": 1713, "domain": 1193, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 11679, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://4.environment.api.ppusercontent.partner.microsoftonline.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://4.environment.api.ppusercontent.partner.microsoftonline.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776628563.7778394 }